Passkey

One touch. Every time after.

Once a user is verified, OTPless offers them a passkey — a cryptographic credential bound to their device. Every sign-in after is one biometric touch: phishing-resistant, sub-second, nothing to type.

Talk to our team See the lifecycle
AcmeSign in
Use Face ID to sign in to Acme
Touch ID · Face ID · Windows Hello
WebAuthn / FIDO2 verified · 320ms
0
Phishing surface
1
Touch to sign in
4×
Faster than OTP login
320ms
Median sign-in
The passkey lifecycle

A passkey is the destination. We own the whole path to it.

The biometric ceremony is the easy part. Bootstrapping a passkey from a verified user, falling back when it's unavailable, and getting users back in when a device is lost — that's the work an auth platform has to own.

01 · Verify
Prove who they are
Phone, email, or WhatsApp confirms a real, known user first.
02 · Enroll
Offer the passkey
At the right moment, the device makes a keypair. The private key never leaves it.
03 · Sign in
One biometric touch
Every visit after: Face ID signs a challenge, we verify it. Sub-second, no typing.
Fallback
Unsupported? No dead end
No passkey on this device — Mobile Auth picks the next best channel.
Recover
Lost device, still in
A verified channel re-establishes trust and re-issues a passkey on the new device.
Why passkeys

No shared secret. Nothing to phish.

A passkey can't be guessed, reused, intercepted, or typed into a fake site. There's no code in transit and no secret on your servers to leak.

Phishing-resistant
Credentials are bound to your origin. A look-alike site can't trigger the passkey, so there's nothing to hand over by mistake.
Nothing to steal
The private key never leaves the device. Your servers hold only a public key — useless to an attacker, nothing to breach.
4× faster
One biometric touch versus waiting for an OTP and typing it. Sign-in resolves in around 320ms.
Built for

The express lane for returning users.

Passkeys aren't a first-touch method — they're the fast, hardened path for users you've already verified. They pay off most here.

Fintech & payments
High-value accounts where phishing and SIM-swap are real threats — and step-up confirms a transaction in one touch.
High-frequency apps
Daily logins — trading, media, gaming, productivity — where shaving every sign-in to one touch compounds fast.
Password replacement
Retire passwords and the "forgot password" reset loop for enrolled users — fewer secrets, fewer tickets.
OTP cost reduction
Every returning user on a passkey is an SMS or email OTP you don't send — and don't pay for.
Integration

Enrol once. Biometric sign-in forever.

A drop-in addition to your existing auth — no rip-and-replace. Offer a passkey after a verified sign-in, then let returning users tap to log in.

passkey.ts web · javascript 
// After a verified sign-in, offer a passkey.
const passkey = await otpless.enrolPasskey({
  userId:      "u_4f8a92",
  displayName: "[email protected]",
});

// Next visit — one tap, no password.
const session = await otpless.signInWithPasskey();

if (session.verified) {
  signIn(session.token);   // fall back to Mobile Auth if unsupported
}
// install  npm i @otpless/web
signInWithPasskey · resolved
320ms
auth · verified user
methodPASSKEY
statusVERIFIED
factorbiometric
verifiedAt1778612141195
credential
standardWebAuthn
privateKeyon-device
phishingresistant
syncedkeychain
origin-bound · no shared secret region: in
Customer Outcomes

The numbers our customers ship with.

* Metrics measured against pre-OTPless baselines.

25M+
Logins / month
"OTPless completely transformed how users log in at Meesho — fast, effortless, and frustration-free. Over 25 million seamless logins every month and a 10% boost in conversion."
AV
Arjit Verma
Associate Director · Meesho
98%+
Login success
"Astrotalk partnered with OTPless to simplify login, reduce operational complexity, and support international scale. Zero-touch flows and intelligent routing delivered measurable impact on conversion, cost, and experience."
Siddharth Singh · CTO · Astrotalk
94.1%
Login success
Ankit Bhatia
Product Head · Seekho
6M+
Logins / month
Vishesh Upparamani
PM · Classplus
Frequently asked

Common questions.

What is a passkey?
A passkey is a WebAuthn/FIDO2 credential bound to the user's device and unlocked with biometrics — Face ID, Touch ID, or Windows Hello. There's no password and no shared secret: the device holds a private key and signs a challenge, while your servers keep only the public key.
Do users start with a passkey?
No — passkeys are the destination, not the front door. You first verify a real user with phone, email, or WhatsApp, then OTPless offers a passkey at the right moment. From then on, that user signs in with one biometric touch.
What if a device doesn't support passkeys?
There's never a dead end. When a passkey isn't available, OTPless Mobile Auth automatically falls back to the next best channel — SNA, WhatsApp, SMS, or email — so the user always gets in.
What happens if a user loses their device?
The same verified channels become the recovery path. The user re-verifies via phone, email, or WhatsApp, OTPless re-establishes trust, and a fresh passkey is issued on the new device. Passkeys also sync via Apple Keychain, Google Password Manager, and 1Password.
Are passkeys really more secure?
Yes. Credentials are origin-bound, so a phishing site can't trigger them; there's no code in transit to intercept and no secret on your servers to breach. They eliminate password reuse, credential stuffing, and SIM-swap interception.
How hard is it to add?
It's a drop-in addition to your existing OTPless auth — no rip-and-replace. Call enrolPasskey after a verified sign-in and signInWithPasskey on return. Most teams roll it out in phases, promoting returning users off OTP over time.
Start with Passkey

Move past the password. Quietly.

OTPless ships passkeys as a drop-in on top of your existing auth — verified bootstrap, automatic fallback, and recovery handled. Talk to us about a phased rollout.

Talk to our team Read the docs
SOC 2 · ISO 27001 · WebAuthn / FIDO2