Get your free and exclusive +45-page Authentication Analytics Whitepaper
Back to Overview

Passkeys India: An Overview [2026]

Discover how India is advancing passkey adoption across payments, banking and consumer platforms driven by the RBI Authentication Directions, the DPDP Act and user-friendly FIDO technology.

Vincent Delitz
Vincent Delitz

Created: July 17, 2026

Updated: July 17, 2026

Passkeys India: An Overview [2026]
WhitepaperEnterprise Icon

Enterprise Passkey Whitepaper. Practical guidance, rollout patterns, and KPIs for passkey programs.

Get Whitepaper
Key Facts
  • The RBI Authentication Directions, 2025 expand two-factor authentication beyond SMS OTP and require two independent factors, at least one dynamically generated, for all domestic digital payment transactions by April 1, 2026, creating the strongest regulatory pull for passkeys in India.
  • Mastercard selected India for the global launch of its Payment Passkey Service in August 2024, built on EMVCo, W3C and FIDO Alliance standards, with partners including Axis Bank, Juspay, Razorpay, PayU and bigbasket.
  • Visa launched its Payment Passkey in India in July 2026 with IDFC First Bank as the first issuer, explicitly built on FIDO authentication standards and aligned with the RBI framework.
  • India processed over 21.6 billion UPI transactions worth around ₹27.97 lakh crore (about US$318 billion) in December 2025 alone, making the payment and login surface one of the largest in the world.
  • The FIDO Alliance submitted formal input to the RBI in December 2024 advocating passkeys, and the FIDO India Working Group (founded 2017 with DSCI) continues to drive adoption across the ecosystem.

1. Introduction#

In this post, we provide a concise overview of the current state of passkey adoption within India. Passkeys represent the next generation of secure and user-friendly authentication, moving beyond the vulnerabilities of traditional passwords and SMS one-time passwords (OTPs). As a leader in passkey solutions, we are keenly observing how different regions are adopting this technology. India is one of the most compelling markets in the world: it combines the largest real-time payment system on the planet, an ambitious regulator moving decisively away from SMS OTP and a digital identity stack that touches over a billion people.

This article explores five key questions:

  1. What exactly are passkeys and why are they especially relevant for India?
  2. How is India's regulatory landscape, led by the RBI, driving adoption?
  3. To what extent are payment networks, banks and consumer platforms implementing passkeys?
  4. Where does India's digital public infrastructure (Aadhaar, UPI, DigiLocker) stand?
  5. What are the main challenges to scaling passkey usage nationwide and how can they be overcome?

By answering these questions, we highlight the key developments, challenges and milestones that are shaping India's passkey landscape, from regulatory shifts to real-world adoption.

2. What are passkeys and why are they essential for India?#

2.1 Defining passkeys#

Passkeys replace traditional passwords with a much simpler and more secure way to log into websites and apps. Instead of typing a password or an OTP, you use your device's built-in security features, like your fingerprint, face recognition or device PIN, to sign in. Each passkey is unique to the website or app it is used for and is stored securely on your device(s).

Technically, a passkey is a public-key credential based on the FIDO2/WebAuthn standards. The private key is never exposed to the website; only the matching public key is registered with the service. With synced passkeys the private key is backed up and shared across a user's devices through an end-to-end encrypted credential manager (such as iCloud Keychain or Google Password Manager), while device-bound passkeys stay on a single authenticator. In both cases the key material is never handed to the relying party. At login, the server sends a one-time challenge, the device signs it with the private key (unlocked by the user's biometric or PIN) and the server verifies that signature against the stored public key. Because the signature is cryptographically bound to the legitimate site's relying party ID, a passkey created for one domain simply will not sign in on a look-alike phishing domain. This is what makes passkeys highly resistant to common online threats like phishing scams, SIM swap attacks and large-scale data breaches, where passwords and OTPs might be stolen or intercepted.

2.2 Why passkeys matter specifically in India#

The push towards passkeys in India is driven by several structural factors:

2.2.1 An unmatched digital payments scale#

India runs the largest real-time payment system in the world. In December 2025 alone, the Unified Payment Interface (UPI) processed over 21.6 billion transactions worth around ₹27.97 lakh crore (about US$318 billion), and across the full year 2025 UPI crossed 228 billion transactions. With roughly 958 million internet users (IAMAI–Kantar, 2025), the sheer size of the login and payment surface makes phishing-resistant authentication a national priority rather than a nice-to-have.

2.2.2 The limits of SMS OTP#

For over a decade, SMS OTP has been the backbone of Indian digital authentication. But OTPs are increasingly bypassed through phishing, SIM swap fraud and social engineering. In Authorized Push Payment scams, a deceived customer voluntarily enters the OTP, turning the safeguard into a tool of the crime. India's cyber agency CERT-In handled around 2.94 million incidents in 2025, a sharp year-on-year increase, underscoring how much pressure sits on legacy authentication.

2.2.3 A regulator moving decisively#

Unlike many markets where regulators only nudge, the Reserve Bank of India (RBI) has set hard deadlines to move beyond SMS OTP (see Section 3). This gives Indian institutions a concrete compliance reason to evaluate FIDO2-based passkeys now, not someday.

Substack Icon

Subscribe to our Passkeys Substack for the latest news.

Subscribe

3. The regulatory environment: a clear catalyst#

India's regulatory landscape does not mandate passkeys by name, but its authentication rules point squarely toward phishing-resistant credentials like passkeys.

3.1 RBI Authentication Directions, 2025: the main catalyst#

The most significant driver is the RBI Authentication Directions, 2025, which expand two-factor authentication far beyond SMS OTP. Key aspects relevant to passkeys:

  • Two distinct factors, at least one dynamic: Full 2FA with two independent factors, at least one of them dynamically generated, is mandated for all domestic digital payment transactions by April 1, 2026, with risk-based controls for cross-border Card-Not-Present transactions by October 1, 2026. This is what moves the market off static SMS OTP.
  • Approved factor categories: The framework recognizes something known (passwords or PINs), something possessed (a hardware or software token) and something inherent (a biometric, for example a device fingerprint or face unlock). Passkeys satisfy both the possession and the inherence factor in a single action.
  • Complementary anti-phishing measures: A parallel migration of banking domains to the exclusive .bank.in domain (deadline October 31, 2025) secures the initial customer contact point against spoofing before authentication even begins.
  • Risk-Based Authentication: Streamlined flows are permitted for low-value contactless payments under ₹5,000 (about US$60), while full 2FA is required for anomalous or high-value transactions.

Crucially, the FIDO Alliance submitted formal input to the RBI in December 2024, responding to the draft framework and asking the RBI to allow FIDO authentication as an alternative to OTPs. A more detailed analysis can be found in our RBI 2FA directives and Reserve Bank of India compliance articles.

3.2 The DPDP Act, 2023 and DPDP Rules, 2025#

The Digital Personal Data Protection (DPDP) Act, 2023 received presidential assent on August 11, 2023. It requires Data Fiduciaries to implement "reasonable security safeguards" to prevent personal data breaches, with penalties of up to ₹250 crore (about US$28 million) for failure. The DPDP Rules, 2025, notified in November 2025, make these safeguards concrete, listing encryption, virtual tokens, access controls, logging and monitoring. Phishing-resistant authentication like passkeys maps directly onto these obligations, giving organizations a data-protection reason (not just a payments reason) to adopt them.

3.3 CERT-In Directions#

The CERT-In Directions under Section 70B of the IT Act, effective June 27, 2022, require organizations to report specified cyber incidents, including identity theft, spoofing, phishing and unauthorized access, within 6 hours. By reducing the attack surface at the point of login, passkeys help institutions avoid the very incidents these directions are designed to track.

4. Payments sector adoption: card networks lead#

India's clearest, best-documented passkey story is unfolding in the payments layer, where the global card networks have moved first.

4.1 Mastercard: India chosen for a global launch#

In August 2024, Mastercard selected India for the global launch of its Payment Passkey Service, explicitly built on EMVCo, W3C and FIDO Alliance standards. It replaces passwords and OTPs with device biometrics and tokenization at checkout. Named launch partners included Axis Bank, payment aggregators Juspay, Razorpay and PayU, and merchant bigbasket. Choosing India for a worldwide first launch reflects the market's scale and the RBI's push away from OTPs.

4.2 Visa: Payment Passkey with IDFC First Bank#

In July 2026, Visa launched its Payment Passkey in India, with IDFC First Bank as the first issuer. Visa described it as "built on globally accepted FIDO authentication standards" and aligned with the RBI's 2025 framework, replacing OTP entry with a device biometric. It is being rolled out across major merchants including Myntra, Paytm, MakeMyTrip, Tata Starbucks and Reliance Digital.

4.3 Biometric access control servers#

In October 2025, Razorpay and YES Bank introduced one of India's first RBI-compliant biometric card-authentication Access Control Servers (ACS), letting cardholders approve online card payments with a device biometric instead of an OTP. This is a biometric ACS rather than a full FIDO passkey deployment, but it reflects the same market direction: OTP-less, biometric-first authentication driven by the RBI framework.

4.4 Banks: early but uneven#

Beyond Axis Bank's Mastercard pilot and IDFC First Bank's Visa launch, most large Indian banks (HDFC, ICICI, SBI, Kotak) still rely on user ID plus password and OTP, with on-device biometric app login in some cases. True FIDO passkey login at the retail-banking front door remains the exception rather than the rule, which is exactly where the next wave of adoption is likely to come from.

Why Are Passkeys Important For Enterprises?

Passkeys for Enterprises

Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.

Passkeys for Enterprises

Download free whitepaper

5. Consumer platforms: passkeys already in Indian pockets#

Many Indian users can already use passkeys today, through global platforms that have rolled them out worldwide:

  • Google: Passkeys are available across Google Accounts and are now the default for many personal accounts. Google reported over 2.5 billion passkey sign-ins across 800 million accounts, with sign-in success rates roughly 30% higher than passwords.
  • Amazon (including Amazon.in): Passkey sign-in launched in October 2023 and Amazon reports more than 175 million customers have enabled passkeys. Amazon.in maintains an official passkey help page.
  • WhatsApp: With one of its largest user bases in India, WhatsApp added passkey login in 2023 and, in October 2025, passkey-protected encrypted backups, phased out across regions including India.
  • Sony PlayStation: Passkey sign-in is available globally, with a dedicated India setup page.

5.1 Indian companies rolling out passkeys#

Adoption is not limited to global platforms. A growing set of Indian companies have moved to passkeys on their own products:

  • Times Internet: At the June 2025 FIDO India Working Group meetup, one of India's largest digital media groups was cited as having migrated from passwords to passkeys across its consumer platforms.
  • Zoho: The Chennai-headquartered software company offers passkey sign-in for Zoho accounts and passkey management in Zoho Vault, a rare example of an Indian vendor building passkeys into products it ships to customers.
  • PhonePe: India's largest UPI app is presenting a passkey adoption case study at the August 2026 FIDO India event, sharing learnings from rolling passkeys out on a critical user journey. (This is separate from PhonePe's device-biometric UPI feature covered in Section 6, which is not a passkey.)
  • MakeMyTrip: India's leading online travel platform is likewise presenting its passkey learnings and success story at the same FIDO India event.

The line-up of Indian speakers at the FIDO India Working Group is itself a useful signal: the domestic case studies now come from fintech, travel and media, not just global tech giants.

Igor Gjorgjioski Testimonial

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.

See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.

Read the case study

6. UPI and device biometrics: an important distinction#

Because so much of India's authentication debate centers on UPI, it is worth being precise about what is and is not a passkey.

  • Device-biometric UPI is not the same as passkeys. In February 2026, PhonePe rolled out UPI payments authorized by an on-device fingerprint or face for amounts up to ₹5,000 (about US$60). This uses the phone's biometric as a second factor, but it is not a FIDO passkey. It is, however, a clear step away from OTP-style flows and shows how comfortable Indian consumers already are with biometric confirmation.
  • Aadhaar Face Authentication in UPI (October 2025) uses UIDAI's own centralized face-matching to help users set or reset their UPI PIN. This is Aadhaar-central technology, not a WebAuthn credential.

In other words, Indian consumers are already used to confirming payments with their face or fingerprint. Passkeys are the standards-based, phishing-resistant version of that same gesture, adding cryptographic origin binding that device biometrics and Aadhaar face matching on their own do not provide.

7. Government and digital identity: the big opportunity#

India's digital public infrastructure (DPI) is world-leading, but it is important to be accurate: the core government identity stack does not yet use FIDO/passkeys.

  • Aadhaar authentication relies on OTP, biometric and demographic matching against a central database. Aadhaar Face Authentication is UIDAI's proprietary AI face-matching, which crossed 200 crore (2 billion) cumulative transactions in August 2025, not a passkey.
  • DigiLocker login uses mobile plus OTP, Aadhaar OTP/biometric and a 6-digit PIN.
  • Jan Parichay / MeriPehchaan (the National Single Sign-On) uses a password plus a second factor such as OTP, backup codes or an app-based prompt.

None of these currently implement passkeys. Given the scale of the DPI, that makes the government stack a significant untapped opportunity for phishing-resistant authentication. Layering FIDO-based passkeys onto DPI would extend the same security benefits the payments sector is now adopting to more than a billion citizens.

8. FIDO Alliance activity in India#

India has one of the more mature FIDO communities in the region:

  • The FIDO India Working Group (FIWG) was founded in May 2017 in partnership with the Data Security Council of India (DSCI), and is currently chaired by Niharika Arora (Google) with vice chair Tapesh Bhatnagar (G+D).
  • A FIWG member meetup and workshop in June 2025 in Bengaluru drew over 100 attendees from 50+ organizations, including Google, Zoho, Times Internet, Mastercard and Yubico.
  • The FIDO Alliance's December 2024 letter to the RBI cited real-world proof points (Google, Amazon, X) to argue that passkeys should be an approved alternative to OTPs in the Indian payments framework.
  • An upcoming FIDO India Working Group meetup on August 7, 2026 in Bengaluru features speakers from Google, Visa, PhonePe, MakeMyTrip and the FIDO Alliance, alongside Corbado's Vincent Delitz, who is presenting "Passkeys Explained Clearly."

9. Overcoming hurdles: challenges to widespread adoption#

Despite strong momentum, several challenges remain:

  • Deeply entrenched OTP habits: SMS OTP and Aadhaar OTP are woven into a decade of Indian digital behaviour. Migrating users, and the systems around them, takes time and clear communication.
  • Consumer education: As in other markets, many users conflate passkeys with existing device biometrics and need simple explanations of how they work, how they are stored (on-device vs. synced) and why they are safer than OTPs.
  • Legacy integration and cost: Retrofitting passkeys onto core banking and government platforms is complex, and smaller institutions will weigh the investment carefully.
  • Feature phones and device diversity: India's device base is vast and varied. Passkey rollouts need graceful fallbacks for users without modern smartphones.
  • Extending beyond payments: RBI clarity is strong for payments, but broader adoption across the identity and public-sector stack still requires coordination and standardization.

10. How Corbado can help#

For Indian banks, fintechs and payment providers, switching passkeys on is the easy part. The hard part starts on day 2: proving adoption, keeping login success rates stable and finding out why a passkey flow suddenly breaks after an OS or browser update. That is exactly what Corbado Observe measures at the client layer, where backend IdP logs cannot see.

  • See your real login funnel: Track login success rate, passkey ceremonies, method distribution and abort reasons stage by stage, instead of stitching together dashboards that were never built for authentication.
  • Turn adoption into a number: Measure active passkey usage over time so Payment System Providers can prove progress against the RBI's move away from SMS OTP, rather than guessing.
  • Debug what users actually hit: Reconstruct an individual login journey to explain why a specific user failed, including device- and OS-specific passkey breakages that only show up in the field.

If you are planning or scaling a passkey rollout in India, talk to us about making adoption measurable.

Igor Gjorgjioski Testimonial

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.

See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.

Read the case study

11. Conclusion: India at a passkey inflection point#

India is arriving at a passkey inflection point, driven by a rare combination of regulatory clarity, unmatched payment scale and an active FIDO community.

  1. What are passkeys and why do they matter for India?
    India runs the world's largest real-time payment system and faces relentless OTP-based fraud, exactly the conditions where phishing-resistant passkeys deliver the most value.
  2. How is regulation driving change?
    The RBI Authentication Directions, 2025 push the market beyond SMS OTP with hard deadlines, while the DPDP Act and CERT-In directions reinforce the need for strong authentication.
  3. How far has implementation gone?
    The card networks lead: Mastercard chose India for a global first launch and Visa has gone live with IDFC First Bank, while Google, Amazon India, WhatsApp and Zoho already put passkeys in users' hands.
  4. Where does the government stack stand?
    Aadhaar, DigiLocker and Jan Parichay do not yet use passkeys, making India's DPI the single largest opportunity for phishing-resistant authentication in the country.
  5. What challenges remain?
    Entrenched OTP habits, consumer education, legacy cost and device diversity are real, but increasingly solvable with the right focus and collaboration.

In sum, passkeys in India are moving from concept to deployment, led by payments and pulled forward by a decisive regulator. The next phase will be about scale, trust and extending passkeys from checkout pages to the identity systems that serve more than a billion people.

Corbado

About Corbado

Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert

Frequently Asked Questions#

Which regulation is pushing India beyond SMS OTP toward passkeys?#

The RBI Authentication Directions, 2025 expand two-factor authentication beyond SMS OTP and require two independent factors, at least one dynamically generated, for all domestic digital payment transactions by April 1, 2026. The framework recognizes possession factors such as hardware or software tokens and inherence factors such as device biometrics, both of which passkeys satisfy in a single action. The FIDO Alliance submitted formal input to the RBI in December 2024 advocating passkeys.

Which companies have deployed passkeys for Indian users so far?#

Mastercard chose India for the global launch of its Payment Passkey Service in August 2024 with partners including Axis Bank, Juspay, Razorpay, PayU and bigbasket. Visa launched its Payment Passkey in India in July 2026 with IDFC First Bank as the first issuer. Global consumer platforms including Google, Amazon India, WhatsApp, Sony PlayStation and Zoho already offer passkeys to Indian users.

Do Aadhaar, DigiLocker and Jan Parichay use passkeys?#

Not yet. India's core digital public infrastructure still relies on OTPs, PINs and Aadhaar-based authentication. Aadhaar Face Authentication is UIDAI's own centralized face-matching system, not a FIDO credential. This makes the government identity stack one of the largest untapped opportunities for passkeys in India.

How large is the digital payments surface that passkeys would protect in India?#

India processed over 21.6 billion UPI transactions worth around ₹27.97 lakh crore (about US$318 billion) in December 2025 alone, and more than 228 billion UPI transactions across 2025. With roughly 958 million internet users, the scale of the login and payment surface makes phishing-resistant authentication a national priority.

What are the main barriers to passkey adoption in India?#

The three main barriers are the deep entrenchment of SMS OTP and Aadhaar OTP habits, consumer education gaps around how passkeys work, and legacy integration cost for banks and government platforms. Regulatory clarity from the RBI is now strong for payments, but broader adoption across the digital identity stack still requires coordination and standardization.

See what's really happening in your passkey rollout.

Explore the Console

Share this article


LinkedInTwitterFacebook