Razorpay has launched a biometric passkey-based card authentication solution in India, developed in partnership with Mastercard and Visa.
The solution replaces one-time passwords (OTPs) with device-bound biometric verification, including fingerprint or facial recognition, allowing cardholders to authenticate payments without redirections or manual input steps.
The launch positions Razorpay's offering as fully compliant with the Reserve Bank of India's (RBI) two-factor authentication framework, which came into force in 2025. Rather than eliminating a security layer, the solution substitutes the OTP step with biometric confirmation anchored to the user's device, satisfying the regulatory requirement while reducing checkout friction.
From proof of concept to live infrastructure
According to the official press release, the development of this capability spans several years. In 2024, at the Global Fintech Fest, Razorpay and Mastercard demonstrated a live proof of concept for biometric card authentication using passkeys. In 2025, as the RBI's two-factor authentication regulations took effect, Razorpay deployed native Access Control Server (ACS) infrastructure designed to support biometric authentication at scale within ten days of the regulatory deadline. In 2026, at the AI Impact Summit, Razorpay demonstrated the technology operating within live commerce journeys alongside Mastercard and a retail partner.
The current release integrates both Mastercard and Visa networks, extending the solution's reach across a broader share of card transactions processed in India.
Regulatory alignment and market context
India's digital payments ecosystem has seen substantial growth in tokenisation and authentication infrastructure. The RBI has consistently pushed for stronger, more resilient authentication mechanisms, and the passkey standard, which was built on FIDO (Fast Identity Online) protocols, aligns with that direction by binding credentials to a specific device rather than transmitting them over a network.
For merchants, the practical implications include fewer abandoned transactions at the authentication step, a consistent pain point in OTP-based flows where delays or network issues cause session breaks. In addition, for cardholders, the model removes the dependency on receiving and entering a time-sensitive code, which carries risks including interception and SIM-based fraud.
The solution is described as suited to both conventional interface-based transactions and conversational commerce environments, where OTP flows are structurally more disruptive to user experience. A company official stated that authentication should enable rather than slow commerce, and that the goal is to make verification instant and compatible with AI-driven and mobile-first environments.
Visa's representative noted that the passkey solution is designed to move the ecosystem beyond OTP-dependent flows while remaining aligned with the RBI's two-factor authentication requirements. Mastercard's officials also described the development as a critical shift for the industry, reflecting the regulatory direction set by India's central bank.
