Passkeys: How to Ditch Passwords and OTPs in India

Every Indian internet user knows the drill: type a password you half-remember, wait for an OTP, fish it out of an SMS while a delivery alert buries it, then start over because it expired. Passkeys throw that whole ritual out. Instead of a secret you type, your account is unlocked by the same fingerprint or face scan you already use to open your phone. No password to forget, no code to read out to a scammer pretending to be your bank.

The shift is no longer theoretical. The FIDO Alliance, the industry body behind the standard, said the number of passkeys in use crossed 5 billion worldwide around its World Passkey Day in May 2026. Google, Apple, Microsoft, WhatsApp and a long list of services now support them. India is a step behind the faster-moving markets in Europe and the US, which is exactly why it's worth getting ahead of the curve now.

What a passkey actually is

A passkey is a pair of digital keys created when you register. One key, the public half, sits on the website's server. The other, the private half, stays locked inside your phone or laptop and never leaves it. When you log in, your device proves it holds the private key without ever sending it across the internet.

The biometric — your fingerprint or face — does not get uploaded anywhere. It simply unlocks the key stored on your device. That single design choice is why passkeys are so much stronger than what we use today.

Think of a password as a secret you and the website both know, which means it can be guessed, leaked in a data breach, or coaxed out of you on a phone call. A passkey is more like a physical key that only fits one specific lock. There is nothing for a hacker to harvest in bulk and nothing for you to accidentally hand over.

Why this beats OTPs and passwords

The biggest win is that passkeys are phishing-proof by design. A passkey created for your real bank simply will not work on a lookalike site, because the browser checks the exact web address before it lets the key respond. The fake page gets nothing.

That matters enormously in India, where the dominant fraud is not sophisticated hacking but social engineering — the caller posing as a bank officer, the urgent SMS with a link, the "share the OTP to confirm your refund" trap. An OTP is only as safe as the most panicked moment of your day. A passkey removes the secret that those scams depend on. There is no code to repeat, so there is nothing to steal over a phone call.

A few practical advantages, in plain terms:

• Nothing to remember. No password, no reset emails, no reused logins across ten sites.
• Nothing to type. Sign-in is a tap and a fingerprint, often in under two seconds.
• Nothing to leak. A breach of the website cannot expose your private key, because the site never had it.
• No OTP delays. No waiting on a flaky network for a code that lands after it expires.

Set it up in the next ten minutes

You do not need new hardware. Any reasonably recent Android phone or iPhone can store passkeys, and they sync so your accounts follow you to a new device. Here is where to start.

1. Google account. Open your Google Account settings, go to Security, and look for the Passkeys option. Tap to create one and approve with your screen lock. From then on you can sign in to Gmail and other Google services with just your fingerprint.
2. WhatsApp. In Settings, open Account, then Passkeys, and follow the prompt. This replaces the SMS code you normally get when setting up WhatsApp on a new phone — a meaningful upgrade, since SIM-swap fraud targets exactly that code.
3. Apple ID. On an iPhone, passkeys are built into iCloud Keychain and switch on with your Apple Account; you'll be offered them automatically on supporting sites.
4. Microsoft, and the rest. Microsoft accounts, plus the likes of Amazon, LinkedIn, PayPal and several password managers, now let you add a passkey from their security settings. Add them as you go.

A useful habit: each time you log in somewhere and the site offers to "create a passkey" or "make sign-in faster," say yes. Within a few weeks your most-used accounts are passwordless without any single big effort.

The catch nobody mentions

If the key lives on your phone, what happens when the phone goes into the river? This is the fair worry, and the honest answer is that you need a backup plan, not blind faith.

Most passkeys today sync to the cloud — through Google Password Manager on Android or iCloud Keychain on Apple. When you sign in to a new device with the same account, your passkeys come along. So a lost phone is usually a brief annoyance, not a lockout, provided you can still get into your Google or Apple account.

That shifts the weak point upward: protect the account that holds your passkeys. Keep a strong recovery method on it, note down any backup codes it gives you, and ideally register a passkey on a second device such as a laptop or tablet. Treat your Google or Apple account recovery the way you'd treat the spare key to your house.

One more wrinkle for India. Passkeys you create on a phone are tied to that ecosystem, so moving everything from Android to iPhone is not yet seamless. The standards bodies are building a clean export-and-import path, but for now, having the same account signed in across your devices is the safest cushion.

Where India's banks and government stand

This is the gap. Indian banking and UPI still run almost entirely on SMS OTP, the very thing passkeys are built to retire. The good news is that the Reserve Bank of India has asked the industry to offer alternatives to SMS-based authentication, and the technology to do it is now mainstream.

There is early movement. Payment processors including Razorpay and Cashfree have started supporting passkey-style card authentication, aligned with the RBI's push for stronger, less fragile sign-in than a six-digit text. Expect more banks and wallets to add a "login with fingerprint" passkey option through 2026, first for app sign-in and later, perhaps, for transactions.

Don't expect Aadhaar to switch overnight, though. The UIDAI system still uses OTPs and a password to open your e-Aadhaar, and a change there would be a much larger undertaking. For now, the realistic strategy is to make your personal accounts — email, messaging, shopping, social — passwordless first. Those are the ones attackers use to reach everything else.

The bottom line

Passwords were a 1960s idea stretched across a country now running its life on a phone. They leak, they get reused, and they feed the scam-call economy that costs Indians thousands of crores a year. Passkeys close the single door those frauds walk through, because there is no shared secret left to trick out of you.

You won't go fully passwordless this week, and you don't need to. Switch on passkeys for your Google account and WhatsApp today, say yes whenever a trusted app offers one, and make sure your Google or Apple recovery is rock solid. Each passkey you add is one fewer password a breach can spill and one fewer OTP a caller can con out of you.