
SMS OTPs are reliable — and expensive. At scale, per-message fees quietly become one of the largest lines in an auth budget.
We built wa2fa: a Keycloak 26.x plugin that delivers one-time passwords over WhatsApp via the Meta Cloud API. It drops into the existing authentication flow with no custom UI.
The result: the same second factor your users already trust, without the per-OTP SMS bill.