From OTP to Passkeys: How RBI’s Framework Drives Better Checkout
TLDR
The Reserve Bank of India’s Authentication Mechanisms for Digital Payment Transactions Directions, 2025 require all digital payments to use two distinct factors of authentication, including at least one dynamic factor, by April 1, 2026. For Indian-issued cards used in cross-border, non-recurring transactions, issuers must implement validation mechanisms by October 1, 2026. This marks a significant shift away from reliance on SMS-based OTPs. For BNPL, wallet, and card product teams, these changes are not only regulatory but strategic — creating an opportunity to modernize authentication, reduce fraud, and improve checkout conversion. Ideem’s Zero-Trust Secure Module (ZSM) and Passkeys+ help institutions transition seamlessly to device-bound passkeys and risk-based authentication, turning compliance into a competitive edge.
The RBI’s new authentication mandate
The RBI’s 2025 Directions introduce a forward-looking authentication framework that redefines how digital transactions will be secured. Every transaction must use two distinct factors of authentication, with at least one being dynamic — meaning it changes for every payment.
While SMS-OTP remains permitted, it is no longer sufficient as the default factor. OTP delivery issues, SIM-swap vulnerabilities, and social engineering attacks have long undermined its reliability. The new framework encourages adoption of dynamic, device-based credentials that are cryptographically bound to the user’s device.
This creates an opening for institutions to move beyond legacy authentication methods and toward deterministic device binding and passkeys. For BNPL, wallet, and card teams, it’s a chance to improve both trust and throughput in their checkout experiences.
Why modern authentication is a growth driver
Relying on static or one-time SMS codes introduces latency and friction. It can also weaken approval rates due to failed or delayed verifications — especially for users on the move or in poor connectivity areas.
Modern authentication methods, particularly device-bound passkeys, allow identity validation to occur locally and securely on the user’s device. When implemented correctly, this reduces false declines and simplifies the payment flow.
For BNPL platforms and wallets, authentication now directly impacts:
- Conversion: Shorter, smoother checkout experiences drive higher completion rates.
- Fraud prevention: Device-based authentication drastically reduces phishing and OTP interception risk.
- Regulatory alignment: Dynamic, device-level factors meet RBI’s requirements without adding friction.
- Customer trust: Native biometric or passkey-based verification feels natural to users and reinforces confidence.
Ideem’s Passkeys+ integrates deterministic device identity within each transaction, ensuring both compliance and seamless UX. Combined with the Zero-Trust Secure Module (ZSM), financial institutions can unify user verification across all devices, channels, and transaction types.
Key differentiators of the new RBI framework
The RBI’s framework emphasizes three major differentiators that reshape how product teams should approach authentication:
- Dynamic factors per transaction
Every authentication event must generate a unique, transaction-specific challenge. Device-bound passkeys naturally fulfill this requirement through asymmetric cryptography that signs a fresh challenge each time. - Risk-based authentication logic
The RBI allows contextual risk evaluation to adapt authentication strength dynamically. Transactions that appear anomalous (new device, location mismatch, or unusual value) can trigger step-up verification. - Enhanced control for cross-border transactions
By October 2026, card issuers must apply validation mechanisms for non-recurring card-not-present transactions across borders. This extends the same strong-authentication philosophy to global payment flows, reinforcing India’s payment integrity internationally.
Each of these differentiators rewards product teams that adopt modern frameworks early.
Turning compliance into competitive advantage
Rather than viewing RBI compliance as a regulatory burden, BNPL, wallet, and card issuers can treat it as an opportunity to upgrade user experience and increase conversions.
A device-bound passkey implementation helps eliminate the weakest links in current authentication flows. It allows risk checks and credential validation to happen on-device, within milliseconds, while maintaining end-to-end encryption.
Institutions that move early will gain measurable advantages:
- Reduced cart abandonment due to faster authentication
- Lower decline rates from OTP or network failures
- Stronger user retention via trusted, secure experiences
- Easier international expansion thanks to alignment with global authentication trends
Ideem’s ZSM and Passkeys+ were designed precisely for this transition — embedding strong authentication natively within the app while preserving seamless UX.
Readiness checklist for product and growth teams
1. Audit your current authentication stack
Document where and how authentication currently occurs — including use of OTP, app-based prompts, or external APIs. Identify all points of latency or user drop-off.
2. Map device binding and credential storage
Implement deterministic device binding instead of relying on browser sessions or probabilistic fingerprinting. Ensure each user device can securely store and verify credentials.
3. Adopt biometrics and passkeys
Integrate native platform APIs (like Android and iOS passkey frameworks) to replace static factors. Align passkey lifecycle management with user account policies.
4. Introduce risk-based logic
Incorporate adaptive authentication: use transaction data, device location, and user behavior to adjust required verification strength dynamically.
5. Test cross-border and multi-device scenarios
Simulate authentication for Indian cards used abroad, new devices, and offline contexts. Validate that fallback flows remain compliant and user-friendly.
6. Partner with trusted authentication infrastructure
Deploy secure modules like Ideem’s ZSM to manage device registration, credential lifecycle, and compliance reporting without adding friction.
The road ahead
The RBI’s new framework represents more than regulatory evolution. It’s a moment for India’s fintech ecosystem to align user protection, compliance, and product growth. Modern authentication — especially device-bound passkeys — can simultaneously strengthen trust and increase transaction completion.
BNPL, wallet, and card product teams that act early will find themselves with a real competitive moat. Authentication readiness isn’t just about checking a compliance box — it’s about creating faster, safer, and more profitable digital experiences.
Ideem helps institutions transition seamlessly into this new standard. With ZSM and Passkeys+, teams can meet RBI requirements, improve conversion, and future-proof their authentication infrastructure for a world moving beyond OTPs.
Sources
- Reserve Bank of India – Authentication Mechanisms for Digital Payment Transactions Directions 2025
https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12898 - Hindustan Times – RBI to implement new payment authentication rules beyond SMS OTP from April 2026
https://www.hindustantimes.com/business/rbi-to-implement-new-payment-authentication-rules-beyond-sms-otp-from-april-2026-know-full-details-101758861127882.html - Entrackr – RBI issues new rules for authentication of digital payments
https://entrackr.com/news/rbi-issues-new-rules-for-authentication-of-digital-payments-10501096 - The Economic Times – RBI issues directions for digital payment transaction authentication mechanism
https://economictimes.indiatimes.com/wealth/save/rbi-issues-directions-for-digital-payment-transaction-authentication-mechanism/articleshow/124115819.cms - AffairsCloud – RBI issues Digital Payment Authentication Directions from April 1 2026
https://affairscloud.com/rbi-issues-digital-payment-authentication-directions-from-april-1-2026/