‘Password resets cost businesses more than they realise’: Zoho exec on ROI of going passwordless

Dorai explained how passwordless authentication has moved from being a futuristic concept to a present-day reality for businesses and users in India. Below are excerpts from the conversation:

How do you define passwordless authentication? What are the specific pain points that it addresses for Indian businesses and consumers?

India is undergoing one of the world’s fastest digital transformations, with over 900 million people now using mobile devices and the internet. Yet traditional password-based authentication remains the default for most users, requiring a username and password. The problem is that many of these passwords are weak, reused across multiple apps, or easy to guess—often based on names, birthdays, anniversaries, or pet names. Attackers armed with AI tools can crack such credentials with little effort.

Passwordless authentication eliminates this vulnerability. Instead of relying on memorized secrets, it uses technologies like passkeys and single sign-on (SSO), both of which have matured over the past five years, to provide seamless, secure logins for employees and customers without compromising security.

What are the key trends or technologies that have allowed the passwordless method to move from concept to mainstream adoption in India?

India tends to adopt new technology faster than many other regions. For example, most regulated businesses, such as banks, hospitals, and financial institutions, have already reinforced multi-factor authentication (MFA), typically through OTPs, with some even using biometric MFA.

At Zoho.com, our cloud division, we provide single sign-on across applications such as HR and finance. Users don’t need to remember a password: with our Smart Sign-in powered by Zoho OneAuth, they simply enter a username and verify via an ID scan or QR code. This approach has driven strong adoption in India.

In the last couple of years, passkeys have also come to the forefront as a tamper-proof method that can replace both passwords and biometrics. Zoho is now a FIDO Alliance member and supports passkey technology for services like Google. We also help businesses securely store their passkeys through Zoho Vault, our password manager.

Can you share some India-specific examples of industries leading in passwordless adoption, and what’s driving the urgency?

The urgency stems from the sharp rise in fraudulent activity across India. Weak or stolen passwords remain the top cause of credential theft and account takeovers, pushing companies to act quickly.

For example, Mastercard and Amazon have both introduced passkey-based logins for their services. Major Indian banks such as SBI and HDFC are also rolling out biometric authentication, especially for high-value transactions, to strengthen security.

Finance and e-commerce are currently at the forefront of this shift, steadily moving away from traditional passwords toward passwordless authentication.

For mid-size Indian companies or enterprises, what are the practical first steps they should be taking today in order to future-proof their authentication strategy?

They should not start moving away entirely to passkeys or passwordless all of a sudden; this should happen in a phased manner. First of all, they need to discover the current authentication mechanism in their organisation. Maybe start with a few departments first and then later explain it to the larger workforce. 

In this way they will be able to know the challenges faced by their current workforce and also the challenges within their IT infrastructure. And then they can slowly roll out to their employees and to external stakeholders. 

Zoho has more than 55 applications and a user base that spans across 130 million. How does it integrate this passwordless authentication seamlessly?

At zoho.com, we offer single sign-on for the entire 55 different applications. Our users don’t need to remember passwords for all 55 different servers; they just need to remember their username, and they can use smart sign-in covered by Zoho OneAuth, our MFA, to get access to all the services.

On top of it, we also have our password manager, Zoho Vault, which kind of helps businesses that are already with password-based authentication to have a centralised system.

We also have Zoho Vault password manager, which in a way helps businesses to store all the passwords in a centralised repository and also enforce password policies and equip the workforce with the password generator so they can use strong, unique passwords for every single account and also share them with different levels of access privileges.

We also have smart sign-in via password list, and with Zoho Vault, we still cater to the password-based authentication mechanism. With Zoho Directory, the identity access management platform, we offer single sign-on for non-Zoho services. So, they simply need to log in to Zoho, and from there, they can, within a single click, log in to all other services without remembering additional passwords.

What are the common misconceptions or fears that Indian businesses have about eliminating passwords entirely, and how do you plan to address them, or how have you been addressing them? 

The passwordless mechanism is something most of us would have used to access different servers. Maybe we will use login via Google or login via Apple ID. This is the most common example for a passwordless. We don’t enter our password to a website; instead, we use login via Google or login via Apple ID for that instance.

The primary concern for most Indian businesses is that this technology is quite complex.They think that ‘this is going to incur me a lot of cost. I need to also put in a lot of effort to train my employees.’In contrast, Zoho Directory or Zoho Vault or the solutions that are passwordless are easier to implement and are also going to cut a lot of costs for businesses. 

Usually, help desk agents will deal with the ‘forget password’ tickets. This takes a lot of time for the help desk to process the request. While passwordless technology, even though businesses may have to spend on infrastructure in the beginning, can cut down costs in the long run. It is also going to secure the business data from instances of phishing or other forms of cyber attacks. 

In the hybrid workspace, what kind of unique authentication challenges does this bring forward? And how can a passwordless method or an authentication help in mitigating that? 

While employees have moved to a hybrid work environment, companies have started adapting by prioritising security measures. For instance, they have started rolling out zero-knowledge architecture and just-in-time privileges. 

I am in Singapore; I cannot access critical information from my device without getting authorisation from my IT admin. This is known as just-in-time access, or time-limited access. I am required to raise an access request every single time to get access to the critical information. 

India has started to focus on technologies like zero plus, just-in-time, and privileged password authentication. On the other hand, tools like Zoho Directory or Zoho Vault are, in a way, helping to tackle this hybrid work scenario without creating any friction in employee experience. 

How do you see the Indian regulatory environment and data-protection laws influencing the growth of passwordless authentication going forward?

I think the outlook is very encouraging. India’s new Digital Personal Data Protection (DPDP) Act, along with recent RBI regulations, is pushing financial institutions to implement multi-factor authentication at a basic level and gradually move toward passwordless authentication over time.

This climate of compliance is positive and extends beyond banking – it’s spreading to e-commerce, hospitals, healthcare, education, and other sectors. That’s especially important for students and others who may not be aware of many cybersecurity threats. We aim to provide them with a convenient and secure way to log in and protect their data, whether educational or personal.

What kind of measurable security or productivity gains have Zoho or its customers seen after going passwordless?

We have observed a sixfold increase in login security for companies that adopted passkey-based authentication. Month over month, Zoho.com has seen passkey adoption grow by more than 30 per cent since we rolled out this feature.

We recently became a member of the FIDO Alliance and signed the Passkeys Pledge to promote passkey adoption in India and globally. We are also running educational initiatives, such as sessions at our user conferences, to raise awareness of the evolving cyber-threat landscape and to help people take the right steps to protect both personal and business data.

For the uninitiated, FIDO (Fast IDentity Online) is an open standard compatible with nearly every major browser, platform, server, application, and device.

When we see emerging technologies like biometrics, W3C WebAuthn and decentralised identity, how do you see these impacting passwordless adoption in the next few years?

Zoho takes a practical view; we don’t expect transformations overnight. But within the next three years, we believe passwordless authentication will become mainstream in India, much like how UPI quickly made cheque-based banking obsolete. The RBI and other regulators are already pushing initiatives to safeguard the financial data of India’s 1.3 billion people, and protecting national interests and data sovereignty is critical. That’s where modern identity and access management technologies will play a central role.

What role do AI and machine learning play in strengthening or personalising passwordless authentication?

We’ve begun integrating AI and ML into both password-based and passwordless systems. For password-based logins, Zoho alerts users if they try to reuse a password known to be compromised—leveraging our ZIA assistant and external breach databases like ‘Have I Been Pwned’. For passwordless authentication, we use behavioural analytics powered by Zoho’s AI for threat detection, phishing prevention in email, and password detection in our vaulting system. These measures help us proactively identify risks and improve user safety.

What does a fully passwordless India look like by 2030, and what milestones must the industry hit to get there?

Milestones will arrive gradually, but by 2030 we expect most organisations, whether Zoho, Amazon, or others, to offer passkey-based authentication as the default. Password-based logins may remain only as a fallback for forgotten devices or rare exceptions, but passwordless will be the standard.

From a business-impact perspective, how do you convince decision-makers that investing in passwordless technology is worth it beyond security benefits?

In our educational sessions we emphasise government compliance first, because businesses pay close attention to regulatory requirements. We also highlight cost savings: a large share of IT help-desk tickets, especially on Mondays and Fridays, are password reset requests. Many companies employ two to five people solely to handle these tickets. By going passwordless, organisations can significantly cut those costs while improving user convenience and overall trust.