Passkeys in India: How to Ditch Passwords and OTPs

For two decades, the ritual of logging in has been the same: type a password you half-remember, wait for an SMS OTP, squint at six digits, and pray the message arrives before it expires. Passkeys are the technology quietly dismantling that ritual — and in India, with a wave of bank deadlines and big-app rollouts, 2026 is the year they finally go mainstream. If you have a smartphone with fingerprint or face unlock, you can start using them today, and this guide explains exactly how.

A passkey is not a fancier password. It is a fundamentally different way to prove who you are — one that nothing gets typed, nothing gets sent over SMS, and nothing can be phished off you by a fake link. Here is what it is, why it matters, and the precise steps to switch.

What a passkey actually is

When you create a passkey for a website or app, your device quietly generates two mathematically linked keys. One is a public key that the website stores — useless to a thief on its own. The other is a private key that never leaves your phone, locked behind your fingerprint, Face ID or device PIN.

To sign in, the site sends a one-time challenge. Your phone signs it with the private key after you unlock with biometrics, and the site verifies the signature against the public key it holds. You experience this as a single tap and a fingerprint — the cryptography happens invisibly in under a second.

The crucial detail: the secret that proves your identity never travels anywhere. There is no password sitting in a database to be leaked, no OTP to intercept, and nothing for you to accidentally hand over. This standard is built by the FIDO Alliance, an industry body whose members include Google, Apple, Microsoft and the major card networks, so it works across the devices and browsers you already own.

Why passkeys beat passwords and OTPs

The case for switching comes down to three hard problems passkeys solve at once.

• Phishing immunity. A passkey is cryptographically tied to the real website's address. If a scammer sends you a lookalike link for your bank, your phone simply won't offer the passkey — it knows the site is fake. This is the single biggest reason security experts favour them.
• No shared secret to steal. Database breaches that spill millions of passwords become far less dangerous, because the site only ever stored a public key. There is nothing reusable to leak.
• No OTP weak points. SMS one-time passwords can be SIM-swapped, read off a notification, intercepted, or socially engineered out of you by a caller pretending to be "bank security." A passkey closes every one of those doors.

There is a convenience dividend too. No more password resets, no waiting for a delayed text on patchy networks, and no juggling a dozen weak variations of the same password across apps.

The India angle: banks, RBI and the OTP sunset

India's regulators have been nudging the country toward stronger login security for a reason — the explosion of digital payments made the humble OTP a favourite target for fraudsters. The Reserve Bank of India has moved to allow and encourage authentication factors beyond the plain SMS OTP, with the industry working toward a shift that picks up pace around April 2026.

That is why you are suddenly seeing card networks like Visa and Mastercard push device-based biometric authentication for online card payments in India, letting your fingerprint approve a transaction instead of an OTP that may never arrive. Several Indian banks and fintech apps have begun offering passkey or biometric sign-in for their apps and net-banking portals.

The practical message for an Indian reader: the OTP is not dead tomorrow, but it is being demoted from your only shield to a fallback. Getting comfortable with passkeys now means fewer payment failures and far better protection against the vishing and phishing scams that drain accounts every day.

How to set up a passkey, step by step

The good news is that the major platforms have made this nearly idiot-proof. Here is the general flow, which is almost identical everywhere.

1. Open the security settings of the account — look for "Passkeys," "Sign in without a password," or "Passwordless."
2. Choose Create a passkey.
3. Your device prompts you to confirm with fingerprint, face unlock or PIN.
4. Done — the passkey is saved to your phone and, on most platforms, synced to your account so it follows you to new devices.

A few platform specifics worth knowing:

• Google account: Go to your Google Account security page and add a passkey. Once set, Android and Chrome let you sign in with just a fingerprint, and the passkey syncs through Google Password Manager with end-to-end encryption.
• WhatsApp: In Settings, under Account, look for Passkey. This lets you verify your account with biometrics instead of waiting for an SMS code — handy when you change phones.
• Apple ID: Passkeys are built into iPhone and stored in iCloud Keychain, syncing across your Apple devices automatically.
• Microsoft, Amazon, and many others: All now support passkeys under their sign-in or security menus.

To sign in later, you simply enter your username (or pick your account), and the device asks for your biometric. No password field, no OTP screen.

The catch: backups, lost phones and shared devices

Passkeys are not flawless, and pretending otherwise would do you a disservice. The biggest worry people have is obvious: what if I lose my phone?

The answer is that most consumer passkeys are synced, not locked to one device. If your passkey lives in your Google, Apple or Microsoft account, signing into a new phone restores it. The discipline you need is to:

• Keep at least one backup sign-in method — a recovery email, a second passkey on another device, or a hardware security key.
• Remotely revoke access from a lost device through your account's security settings, the same way you would sign out a stolen laptop.
• Avoid creating passkeys on shared or public devices, since they tie your identity to that hardware's biometrics.

There is also a fragmentation niggle: moving a passkey between, say, an Android phone and an iPhone is still clunkier than it should be, though cross-platform transfer is steadily improving. And not every Indian website supports passkeys yet — adoption is uneven, so you will keep some passwords around for a while.

Should you switch now?

Yes — selectively and starting with your highest-value accounts. Add a passkey to your email first, because whoever controls your email can reset everything else. Then do your primary Google or Apple account, your WhatsApp, and any bank or payment app that offers it.

Think of it as upgrading the locks on the doors that matter most, while the side gates keep their old keys for now. You lose nothing by adding a passkey — your old password usually still works as a fallback during the transition.

The direction of travel is unmistakable. Billions of passkeys are already in active use worldwide, every major tech platform now supports them, and India's payment rules are tilting decisively away from the SMS OTP. The login of the next decade will not be something you remember and type — it will be you, confirmed by your own fingerprint. The sooner you make the switch on the accounts that count, the safer and less annoying your digital life gets.