Passkeys Gain Regulatory Momentum as India Mandates Two-Factor Authentication and NIST Formalizes Syncable Credentials
India's Reserve Bank enforces mandatory two-factor authentication for all digital payments from April 1, while NIST's updated identity guidelines and Microsoft's passwordless-by-default accounts mark a coordinated global shift toward phishing-resistant authentication.
The global push to replace passwords with cryptographic credentials reached a series of milestones in recent months, as regulators, standards bodies, and platform vendors converged on passkeys as the preferred path to phishing-resistant authentication.
India Ends the SMS OTP Era for Digital Payments
The Reserve Bank of India’s Authentication Mechanisms for Digital Payment Transactions Directions, 2025, took effect on April 1, 2026, requiring every domestic digital payment — whether conducted through UPI, debit and credit cards, or mobile wallets — to include at least two distinct authentication factors. The three permitted categories are something the user knows, something the user has, and something the user is, with at least one factor generated dynamically per transaction.
The mandate does not eliminate SMS-based one-time passwords outright but strips them of their long-standing status as a standalone verification method. Banks and payment service providers must now pair OTPs with a second factor such as biometric verification, device-bound tokens, or cryptographic keys. A risk-based authentication framework permits streamlined flows for low-value contactless payments under 5,000 rupees, while flagging anomalous or high-value transactions for full two-factor verification. Cross-border card-not-present transactions face a separate compliance deadline of October 1, 2026.
The directive lands in a market where UPI alone processes more than 20 billion transactions per month across more than 500 million users, making India’s authentication overhaul one of the largest coordinated security upgrades in the history of digital payments. The FIDO Alliance submitted formal input to the RBI in December 2024 advocating for FIDO2-based passkeys as a compliant authentication factor, and device-bound cryptographic credentials are expected to see rapid adoption among Indian banks seeking to satisfy the new requirements.
NIST Codifies Syncable Authenticators in Updated Identity Guidelines
The United States moved in parallel with the July 2025 release of NIST Special Publication 800-63B-4, the first major revision of the federal digital identity guidelines since 2020. The update formally recognizes syncable authenticators — the technical category that encompasses synced passkeys — as qualifying for Authenticator Assurance Level 2 (AAL2), the tier required for most federal and enterprise applications.
Under the new guidelines, syncable authenticators must generate all keys using approved cryptography, encrypt exported keys with a minimum 112-bit security strength, and perform all private-key operations on the local device. Verifiers are required to inspect WebAuthn response flags confirming user presence, user verification, and backup eligibility before accepting a credential. The specification stops short of granting syncable credentials AAL3 status, noting that key cloning to cloud storage violates the non-exportability requirements of the highest assurance tier.
The practical effect is that federal agencies and the private-sector organizations that follow NIST guidance now have a clear compliance path for deploying passkeys at scale, removing a regulatory ambiguity that had slowed enterprise adoption.
Microsoft Makes Passwordless the Default
Microsoft reinforced the industry trajectory in May 2025 when it made all new accounts passwordless by default, prompting users to enroll a passkey using biometric authentication at sign-up rather than creating a password. The company reported that passkey sign-ins are three times more successful than password-based logins, with a 98 percent success rate compared to 32 percent for passwords, and that password usage dropped by more than 20 percent after the redesigned sign-in flow launched in March 2025.
According to the FIDO Alliance, more than 15 billion user accounts worldwide can now authenticate with passkeys. Amazon has disclosed 175 million passkey-enabled accounts, and Google reported over 400 million accounts using passkeys as of mid-2024, a figure that has continued to grow.
Portability Remains the Next Frontier
The remaining friction point is credential portability. The FIDO Alliance’s draft Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) define a standard for securely transferring passkeys, passwords, and other credentials between credential managers, using Hybrid Public Key Encryption to protect data in transit. Apple, Google, Microsoft, 1Password, Bitwarden, Dashlane, and Samsung are among the contributors, though the specifications remain in draft status with no finalized timeline for ratification.
Until CXP reaches production readiness, users who switch platforms or password managers face the prospect of re-enrolling passkeys from scratch — an inconvenience that enterprise IT teams and consumer advocates have identified as the single largest barrier to full password elimination.