Enterprise Passkey Whitepaper. Practical guidance, rollout patterns, and KPIs for passkey programs.
In this post, we provide a concise overview of the current state of passkey adoption within India. Passkeys represent the next generation of secure and user-friendly authentication, moving beyond the vulnerabilities of traditional passwords and SMS one-time passwords (OTPs). As a leader in passkey solutions, we are keenly observing how different regions are adopting this technology. India is one of the most compelling markets in the world: it combines the largest real-time payment system on the planet, an ambitious regulator moving decisively away from SMS OTP and a digital identity stack that touches over a billion people.
This article explores five key questions:
By answering these questions, we highlight the key developments, challenges and milestones that are shaping India's passkey landscape, from regulatory shifts to real-world adoption.
Passkeys replace traditional passwords with a much simpler and more secure way to log into websites and apps. Instead of typing a password or an OTP, you use your device's built-in security features, like your fingerprint, face recognition or device PIN, to sign in. Each passkey is unique to the website or app it is used for and is stored securely on your device(s).
Technically, a passkey is a public-key credential based on the FIDO2/WebAuthn standards. The private key is never exposed to the website; only the matching public key is registered with the service. With synced passkeys the private key is backed up and shared across a user's devices through an end-to-end encrypted credential manager (such as iCloud Keychain or Google Password Manager), while device-bound passkeys stay on a single authenticator. In both cases the key material is never handed to the relying party. At login, the server sends a one-time challenge, the device signs it with the private key (unlocked by the user's biometric or PIN) and the server verifies that signature against the stored public key. Because the signature is cryptographically bound to the legitimate site's relying party ID, a passkey created for one domain simply will not sign in on a look-alike phishing domain. This is what makes passkeys highly resistant to common online threats like phishing scams, SIM swap attacks and large-scale data breaches, where passwords and OTPs might be stolen or intercepted.
The push towards passkeys in India is driven by several structural factors:
India runs the largest real-time payment system in the world. In December 2025 alone, the Unified Payment Interface (UPI) processed over 21.6 billion transactions worth around ₹27.97 lakh crore (about US$318 billion), and across the full year 2025 UPI crossed 228 billion transactions. With roughly 958 million internet users (IAMAI–Kantar, 2025), the sheer size of the login and payment surface makes phishing-resistant authentication a national priority rather than a nice-to-have.
For over a decade, SMS OTP has been the backbone of Indian digital authentication. But OTPs are increasingly bypassed through phishing, SIM swap fraud and social engineering. In Authorized Push Payment scams, a deceived customer voluntarily enters the OTP, turning the safeguard into a tool of the crime. India's cyber agency CERT-In handled around 2.94 million incidents in 2025, a sharp year-on-year increase, underscoring how much pressure sits on legacy authentication.
Unlike many markets where regulators only nudge, the Reserve Bank of India (RBI) has set hard deadlines to move beyond SMS OTP (see Section 3). This gives Indian institutions a concrete compliance reason to evaluate FIDO2-based passkeys now, not someday.
Subscribe to our Passkeys Substack for the latest news.
India's regulatory landscape does not mandate passkeys by name, but its authentication rules point squarely toward phishing-resistant credentials like passkeys.
The most significant driver is the RBI Authentication Directions, 2025, which expand two-factor authentication far beyond SMS OTP. Key aspects relevant to passkeys:
Crucially, the FIDO Alliance submitted formal input to the RBI in December 2024, responding to the draft framework and asking the RBI to allow FIDO authentication as an alternative to OTPs. A more detailed analysis can be found in our RBI 2FA directives and Reserve Bank of India compliance articles.
The Digital Personal Data Protection (DPDP) Act, 2023 received presidential assent on August 11, 2023. It requires Data Fiduciaries to implement "reasonable security safeguards" to prevent personal data breaches, with penalties of up to ₹250 crore (about US$28 million) for failure. The DPDP Rules, 2025, notified in November 2025, make these safeguards concrete, listing encryption, virtual tokens, access controls, logging and monitoring. Phishing-resistant authentication like passkeys maps directly onto these obligations, giving organizations a data-protection reason (not just a payments reason) to adopt them.
The CERT-In Directions under Section 70B of the IT Act, effective June 27, 2022, require organizations to report specified cyber incidents, including identity theft, spoofing, phishing and unauthorized access, within 6 hours. By reducing the attack surface at the point of login, passkeys help institutions avoid the very incidents these directions are designed to track.
India's clearest, best-documented passkey story is unfolding in the payments layer, where the global card networks have moved first.
In August 2024, Mastercard selected India for the global launch of its Payment Passkey Service, explicitly built on EMVCo, W3C and FIDO Alliance standards. It replaces passwords and OTPs with device biometrics and tokenization at checkout. Named launch partners included Axis Bank, payment aggregators Juspay, Razorpay and PayU, and merchant bigbasket. Choosing India for a worldwide first launch reflects the market's scale and the RBI's push away from OTPs.
In July 2026, Visa launched its Payment Passkey in India, with IDFC First Bank as the first issuer. Visa described it as "built on globally accepted FIDO authentication standards" and aligned with the RBI's 2025 framework, replacing OTP entry with a device biometric. It is being rolled out across major merchants including Myntra, Paytm, MakeMyTrip, Tata Starbucks and Reliance Digital.
In October 2025, Razorpay and YES Bank introduced one of India's first RBI-compliant biometric card-authentication Access Control Servers (ACS), letting cardholders approve online card payments with a device biometric instead of an OTP. This is a biometric ACS rather than a full FIDO passkey deployment, but it reflects the same market direction: OTP-less, biometric-first authentication driven by the RBI framework.
Beyond Axis Bank's Mastercard pilot and IDFC First Bank's Visa launch, most large Indian banks (HDFC, ICICI, SBI, Kotak) still rely on user ID plus password and OTP, with on-device biometric app login in some cases. True FIDO passkey login at the retail-banking front door remains the exception rather than the rule, which is exactly where the next wave of adoption is likely to come from.
Why Are Passkeys Important For Enterprises?
Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.

Many Indian users can already use passkeys today, through global platforms that have rolled them out worldwide:
Adoption is not limited to global platforms. A growing set of Indian companies have moved to passkeys on their own products:
The line-up of Indian speakers at the FIDO India Working Group is itself a useful signal: the domestic case studies now come from fintech, travel and media, not just global tech giants.
Igor Gjorgjioski
Head of Digital Channels & Platform Enablement, VicRoads
We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.
See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.
Read the case studyBecause so much of India's authentication debate centers on UPI, it is worth being precise about what is and is not a passkey.
In other words, Indian consumers are already used to confirming payments with their face or fingerprint. Passkeys are the standards-based, phishing-resistant version of that same gesture, adding cryptographic origin binding that device biometrics and Aadhaar face matching on their own do not provide.
India's digital public infrastructure (DPI) is world-leading, but it is important to be accurate: the core government identity stack does not yet use FIDO/passkeys.
None of these currently implement passkeys. Given the scale of the DPI, that makes the government stack a significant untapped opportunity for phishing-resistant authentication. Layering FIDO-based passkeys onto DPI would extend the same security benefits the payments sector is now adopting to more than a billion citizens.
India has one of the more mature FIDO communities in the region:
Despite strong momentum, several challenges remain:
For Indian banks, fintechs and payment providers, switching passkeys on is the easy part. The hard part starts on day 2: proving adoption, keeping login success rates stable and finding out why a passkey flow suddenly breaks after an OS or browser update. That is exactly what Corbado Observe measures at the client layer, where backend IdP logs cannot see.
If you are planning or scaling a passkey rollout in India, talk to us about making adoption measurable.
Igor Gjorgjioski
Head of Digital Channels & Platform Enablement, VicRoads
We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.
See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.
Read the case studyIndia is arriving at a passkey inflection point, driven by a rare combination of regulatory clarity, unmatched payment scale and an active FIDO community.
In sum, passkeys in India are moving from concept to deployment, led by payments and pulled forward by a decisive regulator. The next phase will be about scale, trust and extending passkeys from checkout pages to the identity systems that serve more than a billion people.
Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
The RBI Authentication Directions, 2025 expand two-factor authentication beyond SMS OTP and require two independent factors, at least one dynamically generated, for all domestic digital payment transactions by April 1, 2026. The framework recognizes possession factors such as hardware or software tokens and inherence factors such as device biometrics, both of which passkeys satisfy in a single action. The FIDO Alliance submitted formal input to the RBI in December 2024 advocating passkeys.
Mastercard chose India for the global launch of its Payment Passkey Service in August 2024 with partners including Axis Bank, Juspay, Razorpay, PayU and bigbasket. Visa launched its Payment Passkey in India in July 2026 with IDFC First Bank as the first issuer. Global consumer platforms including Google, Amazon India, WhatsApp, Sony PlayStation and Zoho already offer passkeys to Indian users.
Not yet. India's core digital public infrastructure still relies on OTPs, PINs and Aadhaar-based authentication. Aadhaar Face Authentication is UIDAI's own centralized face-matching system, not a FIDO credential. This makes the government identity stack one of the largest untapped opportunities for passkeys in India.
India processed over 21.6 billion UPI transactions worth around ₹27.97 lakh crore (about US$318 billion) in December 2025 alone, and more than 228 billion UPI transactions across 2025. With roughly 958 million internet users, the scale of the login and payment surface makes phishing-resistant authentication a national priority.
The three main barriers are the deep entrenchment of SMS OTP and Aadhaar OTP habits, consumer education gaps around how passkeys work, and legacy integration cost for banks and government platforms. Regulatory clarity from the RBI is now strong for payments, but broader adoption across the digital identity stack still requires coordination and standardization.
Related Articles
Table of Contents