Let's concede the headline first
Per the FIDO Alliance's 2026 State of Passkeys report, roughly 5 billion passkeys are now in use, 75% of consumers have enabled one on at least one account, and about half use them regularly where offered. Industry benchmarks put fintech passkey adoption near 60%. For passkeys vs SMS OTP as a primary login factor, the fight is over: passkeys are phishing-resistant, free per login, and faster to use. If you are building primary authentication for a consumer app in 2026 and passkeys are viable for your users, build passkeys.
So why does SMS OTP volume keep growing while its *share* of authentication shrinks? Because the market grew (Mordor Intelligence still projects authentication traffic as the biggest driver of incremental A2P growth through 2031), and because the jobs left over after passkeys take primary login are jobs only a channel like SMS can do.
The jobs passkeys cannot take
| Job | Why passkeys struggle | Why SMS fits |
|---|---|---|
| Account recovery | Lost device often means lost passkey — recovery needs an out-of-band channel | The phone number survives the lost laptop |
| First contact / onboarding | No account yet means no passkey to use | Number verification is still how you prove a human owns a reachable identity |
| No-smartphone users | Feature phones and shared devices cannot hold platform passkeys | SMS reaches every GSM handset on earth |
| Cross-platform edge cases | Ecosystem sync gaps still strand users mid-migration | Works identically everywhere |
| High-risk step-up | A second, different-channel signal is the point | Out-of-band by construction |
Even the passkey vendors say this part quietly: SMS moves from primary factor to fallback and recovery factor. Authsignal's 2026 implementation survey describes exactly that ladder. Fallback is a demotion — and it is also a permanent seat, because the recovery path is the one your angriest, most-locked-out users will ever touch. That fallback rung is where SMS sits in a multichannel fallback architecture, and whether you keep SMS 2FA at all depends on the account's value.
The FIDO data cuts both ways: 75% have *enabled* a passkey somewhere, but only ~49% use them regularly, and low-assurance SMS still carries about 15% of sign-ins (down from 17.5%). The tail is long. Your auth system serves the tail too.
Architecting the 2026 ladder
- Passkey-first for primary loginOffer passkey creation at signup and after each password login. This is the industry default now; fighting it wastes everyone's time.
- SMS OTP for enrollment and recoveryVerify the phone number once at onboarding, and keep OTP as the recovery rung. Build it properly with hashed codes, short TTL, and attempt caps, per our OTP best-practices guide.
- Defend the fallback rung hardAttackers migrate to the weakest rung, and pumping bots love recovery endpoints. Rate limits and pre-send validation from our SMS pumping guide apply doubly here.
- Budget it as fallback trafficFallback volume is lower and spikier than primary-login volume. Per-message economics matter more than platform fees at that shape. The math in our Twilio Verify alternatives analysis favors owning the flow on raw SMS.
What this means for buying SMS
If SMS OTP is becoming your fallback rung rather than your front door, your requirements change: you need reliable delivery for a smaller volume, fast starts, and no long vendor onboarding for what is now a secondary system. That is, frankly, the shape we built for. SMSRoute is a no-KYC SMS API with crypto billing (BTC, ETH, USDT, XMR, LTC, and SOL), and a recovery-path integration is the 5-line job plus an afternoon of rate-limiting. SMSRoute's published route pages list delivery from $0.004/message (premium direct-carrier corridors up to $0.035) with sub-100ms median submission and ~98.6% delivered success (smsroute.cc route pages, 2026).
And if a vendor tells you SMS OTP is dead, check what they sell. If a vendor tells you passkeys are hype, check what *they* sell. Both pitches are inventory talking. The boring truth: primary auth went to passkeys, the recovery and reach jobs stayed with SMS, and a well-built system in 2026 uses each for what it is. For more on passkey adoption trends, see the FIDO Alliance's 2026 State of Passkeys report.
Related reading
FAQ
Are passkeys replacing SMS OTP?
Is SMS OTP still secure enough to use in 2026?
Why keep SMS at all if passkeys are free per login?
How should I budget SMS once it becomes my fallback factor?
Send your first SMS in 5 minutes
No KYC. Pay with BTC, ETH, USDT, XMR, LTC, and SOL. Live routes to 149 countries.
Get an API key →