RBI’s new authentication rules take effect today: Razorpay launches biometric passkey to replace OTPs

As tighter digital payment authentication norms come into force from April 1, Razorpay, an omnichannel payments platform for businesses, has introduced a biometric ‘Passkey’ solution for card transactions, in partnership with Mastercard and with integration from Visa expected soon.

The rollout coincides with the implementation of updated two-factor authentication (2FA) requirements by the Reserve Bank of India, which emphasise the use of dynamic and device-bound factors, including biometrics, to strengthen transaction security.

The new system enables users to authenticate online card payments using fingerprint or facial recognition on their devices, reducing reliance on one-time passwords (OTPs). Authentication is completed directly on the user’s device without redirects or manual input.

OTP-based verification has been a standard in India’s digital payments ecosystem but has also been associated with transaction failures. Industry estimates indicate that about 35% of payment failures stem from authentication-related issues such as delayed OTP delivery, incorrect entry, or session timeouts.

The biometric passkey approach is designed to address these challenges by enabling instant, device-based verification. The company said the system can improve transaction success rates to as high as 95% while lowering OTP-related failures.

The shift comes amid a rise in digital payment fraud. Data from the central bank shows that over 13,500 internet fraud cases were reported in FY25, with losses exceeding ₹520 crore, underscoring the need for more secure authentication mechanisms.

Unlike OTP-based systems, passkey-based authentication uses tokenised credentials stored on the user’s device, ensuring that sensitive card details are not shared with merchants or third parties. This reduces the risk of data compromise and fraud.