For the first time in India, an at-scale OTP-less authentication framework will enable customers to complete credit and debit card transactions using device biometrics at a time when card frauds remain a concern.
“Of our consumers to whom we have shown an option to opt in for passkeys, 30 per cent of them are moving away from OTPs. These are people who also have a higher transacting frequency than those who have not opted in,” said Ravi Datla, senior vice-president, customer solutions, Mastercard.
The rollout across networks is expected to be gradual, with customers having an option to opt in for passkeys or continue with OTPs for a while. The rollouts also follow the Reserve Bank of India’s (RBI’s) guidelines issued last year that require at least one of the two factors of authentication be dynamically generated or proven, paving the way of biometric verification.
“We welcome the RBI’s progressive move beyond OTP. Together with our partners, we are excited to roll out Visa Payment Passkey to bring faster, safer and more inclusive authentication for Indians using native device-based methods such as biometrics, PINs (personal identification numbers) and patterns,” Ramakrishnan Gopalan, vice-president and head of products & solutions for India and South Asia at Visa, told Business Standard.
Between FY22 and September 2025, credit card frauds totalled 244,000 cases involving about ₹1,447.27 crore, while debit and ATM card frauds stood at 94,991 cases worth ₹401.17 crore. Industry executives said social-engineering frauds, where users are tricked into sharing OTPs or PINs, were a major contributor to frauds within the ecosystem.
“OTPs have also exposed the ecosystem to phishing attacks and social engineering where people are tricked into giving away their OTPs in spite of all the investment that the ecosystem made in the space,” Datla from Mastercard added.
Passkeys are expected to curb fraud arising from social engineering, while also improving transaction success rates by 2 to 3 per cent by removing SMS-based authentication friction. Beyond frauds, the friction caused by SMSes also leads to delays in processing transactions, which is eliminated when biometrics are used to authorise a payment.
The technology is enabled through integration among card networks, issuers, payment aggregators, and merchants.
In a passkey-based payment flow, a user’s biometric unlocks a private key stored securely on the device. This signs a one-time challenge from the issuer, which the bank verifies using a corresponding public key before authorising a card payment.
“There are challenges with OTP delivery at some banks, which leads to a transaction failing during checkout. If that step is eliminated using data stored within the system used for authentication, transaction success rates improve,” an industry source said.
Datla said banks do not require fresh integrations with networks like Mastercard but need to focus on changes in policy, function of new authentication mechanisms, and other rules.
“They don't need to integrate to any new APIs (Application Programming Interfaces). The bank needs to do a bit of policy changes, look at this new authentication mechanism and they need to figure out their rules. It’s more process than tech,” he added.
 "Mastercard, Visa, passkeys, biometric authentication, OTP-less payments, one-time passwords (OTP), credit card fraud, debit card fraud, social engineering fraud, phishing attacks, transaction success rate, RBI authentication guidelines, Reserve Bank")