---
url: 'https://www.corbado.com/blog/passkeys-india-overview'
title: 'Passkeys India: An Overview [2026]'
description: 'Discover how India is advancing passkey adoption across payments, banking and consumer platforms driven by the RBI Authentication Directions, the DPDP Act and user-friendly FIDO technology.'
lang: 'en'
author: 'Vincent Delitz'
date: '2026-07-17T11:25:01.920Z'
lastModified: '2026-07-17T11:26:04.906Z'
keywords: 'passkeys India, passwordless authentication India, FIDO2 India, RBI authentication directions, secure login India, biometric login India, UPI authentication, digital payment security India, multi-factor authentication India, DPDP Act passkeys'
category: 'Passkeys Strategy'
---

# Passkeys India: An Overview [2026]

## Key Facts

- The **RBI Authentication Directions, 2025** expand two-factor authentication beyond SMS
  OTP and require two independent factors, at least one dynamically generated, for all
  domestic digital payment transactions by **April 1, 2026**, creating the strongest regulatory pull for passkeys in India.
- **Mastercard selected India for the global launch of its Payment Passkey Service** in
  August 2024, built on EMVCo, W3C and FIDO Alliance standards, with partners including
  Axis Bank, Juspay, Razorpay, PayU and bigbasket.
- **Visa launched its Payment Passkey in India in July 2026** with IDFC First Bank as the
  first issuer, explicitly built on FIDO authentication standards and aligned with the RBI
  framework.
- India processed **over 21.6 billion UPI transactions worth around ₹27.97 lakh crore (about US$318 billion) in
  December 2025 alone**, making the payment and login surface one of the largest in the
  world.
- The **FIDO Alliance submitted formal input to the RBI in December 2024** advocating
  passkeys, and the **FIDO India Working Group** (founded 2017 with DSCI) continues to
  drive adoption across the ecosystem.

## 1. Introduction

In this post, we provide a concise overview of the current state of passkey adoption within
India. Passkeys represent the next generation of secure and
[user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience),
moving beyond the [vulnerabilities](https://www.corbado.com/glossary/vulnerability) of traditional passwords and
SMS one-time passwords (OTPs). As a leader in passkey solutions, we are keenly observing how
different regions are adopting this technology. India is one of the most compelling markets
in the world: it combines the largest real-time payment system on the planet, an ambitious
regulator moving decisively away from SMS OTP and a digital identity stack that touches over
a billion people.

**This article explores five key questions:**

1. **What exactly are passkeys and why are they especially relevant for India?**
2. **How is India's regulatory landscape, led by the RBI, driving adoption?**
3. **To what extent are payment networks, banks and consumer platforms implementing
   passkeys?**
4. **Where does India's digital public infrastructure (Aadhaar, UPI, DigiLocker) stand?**
5. **What are the main challenges to scaling passkey usage nationwide and how can they be
   overcome?**

By answering these questions, we highlight the key developments, challenges and milestones
that are shaping India's passkey landscape, from regulatory shifts to real-world adoption.

## 2. What are passkeys and why are they essential for India?

### 2.1 Defining passkeys

Passkeys replace traditional passwords with a much simpler and more secure way to log into
websites and apps. Instead of typing a password or an OTP, you use your device's built-in
security features, like your fingerprint, face recognition or device PIN, to sign in. Each
passkey is unique to the website or app it is used for and is stored securely on your
device(s).

Technically, a passkey is a [public-key](https://www.corbado.com/glossary/public-key-cryptography) credential based
on the [FIDO2](https://www.corbado.com/glossary/fido2)/[WebAuthn](https://www.corbado.com/glossary/webauthn) standards. The **private key is
never exposed to the website**; only the matching public key is registered with the service.
With synced passkeys the private key is backed up and shared across a user's devices through
an end-to-end encrypted credential manager (such as [iCloud Keychain](https://www.corbado.com/blog/how-to-use-apple-passwords) or
[Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)), while device-bound
passkeys stay on a single authenticator. In both cases the key material is never handed to the
relying party. At login, the server sends a one-time **challenge**, the device signs it with
the private key (unlocked by the user's biometric or PIN) and the **server verifies that
signature** against the stored public key. Because the signature is cryptographically bound to
the legitimate site's [relying party ID](https://www.corbado.com/glossary/relying-party), a passkey created for one
domain simply will not sign in on a look-alike phishing domain. This is what makes passkeys
highly resistant to common online threats like [phishing](https://www.corbado.com/glossary/phishing) scams,
[SIM swap](https://www.corbado.com/glossary/sim-swap) attacks and
[large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) data breaches, where passwords
and OTPs might be stolen or intercepted.

### 2.2 Why passkeys matter specifically in India

The push towards passkeys in India is driven by several structural factors:

#### 2.2.1 An unmatched digital payments scale

India runs the largest real-time payment system in the world. In **December 2025 alone**,
the Unified [Payment](https://www.corbado.com/passkeys-for-payment) Interface (UPI) processed **over 21.6 billion
transactions worth around ₹27.97 lakh crore (about US$318 billion)**, and across the full year 2025 UPI crossed
**228 billion transactions**. With roughly **958 million internet users** (IAMAI–Kantar,
2025), the sheer size of the login and [payment](https://www.corbado.com/passkeys-for-payment) surface makes
phishing-resistant authentication a national priority rather than a nice-to-have.

#### 2.2.2 The limits of SMS OTP

For over a decade, SMS OTP has been the backbone of Indian digital authentication. But OTPs
are increasingly bypassed through [phishing](https://www.corbado.com/glossary/phishing),
[SIM swap](https://www.corbado.com/glossary/sim-swap) fraud and social engineering. In Authorized Push Payment
scams, a deceived customer voluntarily enters the OTP, turning the safeguard into a tool of
the crime. India's cyber agency **CERT-In handled around 2.94 million incidents in 2025**,
a sharp year-on-year increase, underscoring how much pressure sits on legacy authentication.

#### 2.2.3 A regulator moving decisively

Unlike many markets where regulators only nudge, the **Reserve Bank of India (RBI)** has set
hard deadlines to move beyond SMS OTP (see Section 3). This gives Indian institutions a
concrete compliance reason to evaluate [FIDO2](https://www.corbado.com/glossary/fido2)-based passkeys now, not
someday.

## 3. The regulatory environment: a clear catalyst

India's regulatory landscape does not [mandate passkeys](https://www.corbado.com/blog/mandating-mfa) by name, but
its authentication rules point squarely toward phishing-resistant credentials like passkeys.

### 3.1 RBI Authentication Directions, 2025: the main catalyst

The most significant driver is the **RBI Authentication Directions, 2025**, which expand
two-factor authentication far beyond SMS OTP. Key aspects relevant to passkeys:

- **Two distinct factors, at least one dynamic:** Full 2FA with two independent factors, at
  least one of them dynamically generated, is mandated for all domestic digital
  [payment](https://www.corbado.com/passkeys-for-payment) transactions by **April 1, 2026**, with risk-based
  controls for cross-border Card-Not-Present transactions by **October 1, 2026**. This is
  what moves the market off static SMS OTP.
- **Approved factor categories:** The framework recognizes _something known_ (passwords or
  PINs), _something possessed_ (a hardware or software token) and _something inherent_ (a
  biometric, for example a device fingerprint or face unlock). Passkeys satisfy both the
  possession and the inherence factor in a single action.
- **Complementary anti-phishing measures:** A parallel migration of banking domains to the
  exclusive **.bank.in** domain (deadline October 31, 2025) secures the initial customer
  contact point against spoofing before authentication even begins.
- **Risk-Based Authentication:** Streamlined flows are permitted for low-value contactless
  [payments](https://www.corbado.com/passkeys-for-payment) under ₹5,000 (about US$60), while full 2FA is required for anomalous
  or high-value transactions.

Crucially, the **FIDO Alliance submitted formal input to the RBI in December 2024**,
responding to the draft framework and asking the RBI to allow FIDO authentication as an
alternative to OTPs. A more detailed analysis can be found in our
[RBI 2FA directives](https://www.corbado.com/blog/rbi-2fa-directives) and
[Reserve Bank of India compliance](https://www.corbado.com/blog/reserve-bank-india-compliance) articles.

### 3.2 The DPDP Act, 2023 and DPDP Rules, 2025

The **Digital Personal Data Protection (DPDP) Act, 2023** received presidential assent on
August 11, 2023. It requires Data Fiduciaries to implement "reasonable security safeguards"
to prevent personal data breaches, with penalties of up to **₹250 crore (about US$28 million)** for failure. The
**DPDP Rules, 2025**, notified in November 2025, make these safeguards concrete, listing
encryption, virtual tokens, access controls, logging and monitoring. Phishing-resistant
authentication like passkeys maps directly onto these obligations, giving organizations a
data-protection reason (not just a payments reason) to adopt them.

### 3.3 CERT-In Directions

The **CERT-In Directions under Section 70B of the IT Act**, effective June 27, 2022, require
organizations to report specified cyber incidents, including identity theft, spoofing,
[phishing](https://www.corbado.com/glossary/phishing) and unauthorized access, within **6 hours**. By reducing the
attack surface at the point of login, passkeys help institutions avoid the very incidents
these directions are designed to track.

## 4. Payments sector adoption: card networks lead

India's clearest, best-documented passkey story is unfolding in the payments layer, where
the global card networks have moved first.

### 4.1 Mastercard: India chosen for a global launch

In **August 2024, Mastercard selected India for the global launch of its Payment Passkey
Service**, explicitly built on **EMVCo, W3C and FIDO Alliance standards**. It replaces
passwords and OTPs with device [biometrics](https://www.corbado.com/blog/passkeys-biometric-authentication) and
[tokenization](https://www.corbado.com/glossary/network-tokenisation) at checkout. Named launch partners included **Axis
Bank**, payment aggregators **Juspay, Razorpay and PayU**, and merchant **bigbasket**.
Choosing India for a worldwide first launch reflects the market's scale and the RBI's push
away from OTPs.

### 4.2 Visa: Payment Passkey with IDFC First Bank

In **July 2026, Visa launched its Payment Passkey in India**, with **IDFC First Bank as the
first issuer**. Visa described it as "built on globally accepted FIDO authentication
standards" and aligned with the RBI's 2025 framework, replacing OTP entry with a device
biometric. It is being rolled out across major merchants including Myntra, Paytm, MakeMyTrip,
Tata Starbucks and Reliance Digital.

### 4.3 Biometric access control servers

In **October 2025, Razorpay and YES Bank** introduced one of India's first RBI-compliant
biometric card-authentication Access Control Servers (ACS), letting cardholders approve
online card [payments](https://www.corbado.com/passkeys-for-payment) with a device biometric instead of an OTP.
This is a biometric ACS rather than a full FIDO passkey deployment, but it reflects the same
market direction: OTP-less, biometric-first authentication driven by the RBI framework.

### 4.4 Banks: early but uneven

Beyond Axis Bank's Mastercard pilot and IDFC First Bank's Visa launch, most large Indian
banks (HDFC, ICICI, SBI, Kotak) still rely on user ID plus password and OTP, with on-device
[biometric](https://www.corbado.com/blog/passkeys-local-biometrics) app login in some cases. True FIDO passkey login
at the retail-banking front door remains the exception rather than the rule, which is exactly
where the next wave of adoption is likely to come from.

## 5. Consumer platforms: passkeys already in Indian pockets

Many Indian users can already use passkeys today, through global platforms that have rolled
them out worldwide:

- **Google:** Passkeys are available across Google Accounts and are now the default for many
  personal accounts. Google reported over **2.5 billion passkey sign-ins across 800 million
  accounts**, with sign-in success rates roughly 30% higher than passwords.
- **Amazon (including Amazon.in):** Passkey sign-in launched in October 2023 and Amazon
  reports **more than 175 million customers** have enabled passkeys. Amazon.in maintains an
  official passkey help page.
- **WhatsApp:** With one of its largest user bases in India, WhatsApp added passkey login in
  2023 and, in **October 2025, passkey-protected encrypted backups**, phased out across
  regions including India.
- **Sony PlayStation:** Passkey sign-in is available globally, with a dedicated India setup
  page.

### 5.1 Indian companies rolling out passkeys

Adoption is not limited to global platforms. A growing set of Indian companies have moved to
passkeys on their own products:

- **Times Internet:** At the June 2025 FIDO India Working Group meetup, one of India's largest
  digital media groups was cited as having **migrated from passwords to passkeys** across its
  consumer platforms.
- **Zoho:** The Chennai-headquartered software company offers passkey sign-in for Zoho
  accounts and passkey management in Zoho Vault, a rare example of an Indian vendor building
  passkeys into products it ships to customers.
- **PhonePe:** India's largest UPI app is presenting a **passkey adoption case study** at the
  August 2026 FIDO India event, sharing learnings from rolling passkeys out on a critical user
  journey. (This is separate from PhonePe's device-biometric UPI feature covered in Section 6,
  which is not a passkey.)
- **MakeMyTrip:** India's leading online travel platform is likewise presenting its passkey
  **learnings and success story** at the same FIDO India event.

The line-up of Indian speakers at the FIDO India Working Group is itself a useful signal: the
domestic case studies now come from fintech, travel and media, not just global tech giants.

## 6. UPI and device biometrics: an important distinction

Because so much of India's authentication debate centers on UPI, it is worth being precise
about what is and is not a passkey.

- **Device-biometric UPI is not the same as passkeys.** In February 2026, **PhonePe** rolled
  out UPI payments authorized by an on-device fingerprint or face for amounts up to ₹5,000 (about US$60).
  This uses the phone's biometric as a second factor, but it is not a FIDO passkey. It is,
  however, a clear step away from OTP-style flows and shows how comfortable Indian consumers
  already are with biometric confirmation.
- **Aadhaar Face Authentication in UPI (October 2025)** uses UIDAI's own centralized
  face-matching to help users set or reset their UPI PIN. This is Aadhaar-central technology,
  not a WebAuthn credential.

In other words, Indian consumers are already used to confirming payments with their face or
fingerprint. Passkeys are the standards-based, phishing-resistant version of that same
gesture, adding cryptographic origin binding that device biometrics and Aadhaar face matching
on their own do not provide.

## 7. Government and digital identity: the big opportunity

India's digital public infrastructure (DPI) is world-leading, but it is important to be
accurate: **the core government identity stack does not yet use FIDO/passkeys.**

- **Aadhaar** authentication relies on OTP, biometric and demographic matching against a
  central database. **Aadhaar Face Authentication** is UIDAI's proprietary AI face-matching,
  which crossed **200 crore (2 billion) cumulative transactions in August 2025**, not a
  passkey.
- **DigiLocker** login uses mobile plus OTP, Aadhaar OTP/biometric and a 6-digit PIN.
- **Jan Parichay / MeriPehchaan** (the National Single Sign-On) uses a password plus a second
  factor such as OTP, backup codes or an app-based prompt.

None of these currently implement passkeys. Given the scale of the DPI, that makes the
government stack a significant **untapped opportunity** for phishing-resistant
authentication. Layering FIDO-based passkeys onto DPI would extend the same security benefits
the payments sector is now adopting to more than a billion citizens.

## 8. FIDO Alliance activity in India

India has one of the more mature FIDO communities in the region:

- The **FIDO India Working Group (FIWG)** was founded in **May 2017** in partnership with the
  **Data Security Council of India (DSCI)**, and is currently chaired by Niharika Arora
  (Google) with vice chair Tapesh Bhatnagar (G+D).
- A **FIWG member meetup and workshop in June 2025** in Bengaluru drew over 100 attendees
  from 50+ organizations, including Google, Zoho, Times Internet, Mastercard and Yubico.
- The **FIDO Alliance's December 2024 letter to the RBI** cited real-world proof points
  (Google, Amazon, X) to argue that passkeys should be an approved alternative to OTPs in
  the Indian payments framework.
- An upcoming **FIDO India Working Group meetup on August 7, 2026** in Bengaluru features
  speakers from Google, Visa, PhonePe, MakeMyTrip and the FIDO Alliance, alongside Corbado's
  **Vincent Delitz**, who is presenting "Passkeys Explained Clearly."

## 9. Overcoming hurdles: challenges to widespread adoption

Despite strong momentum, several challenges remain:

- **Deeply entrenched OTP habits:** SMS OTP and Aadhaar OTP are woven into a decade of Indian
  digital behaviour. Migrating users, and the systems around them, takes time and clear
  communication.
- **Consumer education:** As in other markets, many users conflate passkeys with existing
  device biometrics and need simple explanations of how they work, how they are stored
  (on-device vs. synced) and why they are safer than OTPs.
- **Legacy integration and cost:** Retrofitting passkeys onto core banking and government
  platforms is complex, and smaller institutions will weigh the investment carefully.
- **Feature phones and device diversity:** India's device base is vast and varied. Passkey
  rollouts need graceful fallbacks for users without modern smartphones.
- **Extending beyond payments:** RBI clarity is strong for payments, but broader adoption
  across the identity and public-sector stack still requires coordination and
  standardization.

## 10. How Corbado can help

For Indian banks, fintechs and payment providers, switching passkeys on is the easy part.
The hard part starts on day 2: proving adoption, keeping login success rates stable and
finding out why a passkey flow suddenly breaks after an OS or browser update. That is exactly
what [Corbado Observe](https://www.corbado.com/observe) measures at the client layer, where backend IdP logs cannot
see.

[Watch video](https://www.corbado.com/videos/features/login-overview.mp4)

- **See your real login funnel:** Track login success rate, passkey ceremonies, method
  distribution and abort reasons stage by stage, instead of stitching together dashboards
  that were never built for authentication.
- **Turn adoption into a number:** Measure active passkey usage over time so Payment System
  Providers can prove progress against the RBI's move away from SMS OTP, rather than guessing.
- **Debug what users actually hit:** Reconstruct an individual login journey to explain why
  a specific user failed, including device- and OS-specific passkey breakages that only show
  up in the field.

If you are planning or scaling a passkey rollout in India, [talk to us](https://www.corbado.com/contact) about making
adoption measurable.

## 11. Conclusion: India at a passkey inflection point

India is arriving at a **passkey inflection point**, driven by a rare combination of
regulatory clarity, unmatched payment scale and an active FIDO community.

1. **What are passkeys and why do they matter for India?**\
   India runs the world's largest real-time payment system and faces relentless OTP-based
   fraud, exactly the conditions where phishing-resistant passkeys deliver the most value.
2. **How is regulation driving change?**\
   The RBI Authentication Directions, 2025 push the market beyond SMS OTP with hard
   deadlines, while the DPDP Act and CERT-In directions reinforce the need for strong
   authentication.
3. **How far has implementation gone?**\
   The card networks lead: Mastercard chose India for a global first launch and Visa has gone
   live with IDFC First Bank, while Google, Amazon India, WhatsApp and Zoho already put
   passkeys in users' hands.
4. **Where does the government stack stand?**\
   Aadhaar, DigiLocker and Jan Parichay do not yet use passkeys, making India's DPI the
   single largest opportunity for phishing-resistant authentication in the country.
5. **What challenges remain?**\
   Entrenched OTP habits, consumer education, legacy cost and device diversity are real, but
   increasingly solvable with the right focus and collaboration.

In sum, passkeys in India are moving from concept to deployment, led by payments and pulled
forward by a decisive regulator. The next phase will be about scale, trust and extending
passkeys from checkout pages to the identity systems that serve more than a billion people.

## Frequently Asked Questions

### Which regulation is pushing India beyond SMS OTP toward passkeys?

The RBI Authentication Directions, 2025 expand two-factor authentication beyond SMS OTP and
require two independent factors, at least one dynamically generated, for all domestic digital
payment transactions by April 1, 2026. The framework recognizes possession factors such as
hardware or software tokens and inherence factors such as device biometrics, both of which
passkeys satisfy in a single action. The FIDO Alliance submitted formal input to the RBI in
December 2024 advocating passkeys.

### Which companies have deployed passkeys for Indian users so far?

Mastercard chose India for the global launch of its Payment Passkey Service in August 2024
with partners including Axis Bank, Juspay, Razorpay, PayU and bigbasket. Visa launched its
Payment Passkey in India in July 2026 with IDFC First Bank as the first issuer. Global consumer
platforms including Google, Amazon India, WhatsApp, Sony PlayStation and Zoho already offer
passkeys to Indian users.

### Do Aadhaar, DigiLocker and Jan Parichay use passkeys?

Not yet. India's core digital public infrastructure still relies on OTPs, PINs and
Aadhaar-based authentication. Aadhaar Face Authentication is UIDAI's own centralized
face-matching system, not a FIDO credential. This makes the government identity
stack one of the largest untapped opportunities for passkeys in India.

### How large is the digital payments surface that passkeys would protect in India?

India processed over 21.6 billion UPI transactions worth around ₹27.97 lakh crore (about US$318 billion) in December
2025 alone, and more than 228 billion UPI transactions across 2025. With roughly 958 million
internet users, the scale of the login and payment surface makes phishing-resistant
authentication a national priority.

### What are the main barriers to passkey adoption in India?

The three main barriers are the deep entrenchment of SMS OTP and Aadhaar OTP habits, consumer
education gaps around how passkeys work, and legacy integration cost for banks and government
platforms. Regulatory clarity from the RBI is now strong for payments, but broader adoption
across the digital identity stack still requires coordination and standardization.
