Let’s be honest…passwords have become a daily hassle.
We’re expected to create complex combinations, including uppercase, lowercase, symbols and numbers. Avoid reusing them. Remember them all. And even then, static passwords remain one of the weakest links in digital security and are alarmingly vulnerable.
With cyberattacks surging in recent years, something had to change.
Now, major travel brands like Booking.com and Skyscanner are ditching the password in favour of One-Time Passcodes (OTP). A smarter, simpler, and most importantly, more secure, way to log in. It’s part of a wider shift across the travel industry, where user expectations are evolving and outdated security just won’t cut it.
OTP-first login isn’t just more robust – it’s faster, easier, and future-ready. At Rezcomm, we recognised this early and built our authentication model around it, aligning with best practices to protect customer data while helping our airport partners stay compliant, confident, and ahead of the curve.
The shift toward OTP-based login isn’t another digital trend. It’s driven by evolving regulatory standards and a need for stronger, more user-friendly security models. Under PCI DSS 4.0, (the latest version of the Payment Card Industry Data Security Standard) static passwords used in isolation are no longer considered compliant. Instead, the framework favours multi-factor authentication (MFA) approaches that reduce reliance on single points of failure.
This change reflects growing concerns around cyber threats such as phishing, brute-force attacks, and widespread password fatigue. Traditional login methods are increasingly vulnerable, both from a technical and human-driven standpoint.
At the same time, user expectations are changing. Today’s mobile-first customers expect fast, seamless access, and OTPs deliver exactly that. They reduce friction, simplify login flows, and result in fewer support queries for operators. The result is a win-win: stronger security and a more intuitive user experience that meets the demands of modern digital journeys.
A one-time password is a temporary, unique code (usually 6 digits) that is generated and sent to a user’s email address or mobile device when they request access to a service that requires authentication. These codes are time-sensitive, often expiring in a matter of minutes, which dramatically reduces the risk of an attacker retrieving the code and gaining unauthorised access.
Here’s how it works:
Unlike traditional passwords, OTPs are only valid for a single session. If the session expires or the user logs out, a new OTP must be generated for future access. This approach reduces the risk of attacks and enhances security, ensuring a fresh session every time.
Here’s a simple side-by-side comparison chart:
Feature | Static Passwords | One-Time Passcodes (OTPs) |
Reuse | Reused across sessions | Valid for a single session only |
Vulnerability to attacks | High – prone to phishing & brute-force | Low – time-sensitive, single-use only |
User behaviour risk | High – forgotten or reused passwords | Low – no memorisation required |
Security compliance (PCI DSS 4.0) | No – non-compliant if used alone | Yes – aligned with MFA standards |
Ease of use (mobile users) | Lower – typing passwords on small screens | Higher – quick access via inbox |
Support queries (e.g. resets) | Frequent password reset requests | Fewer support queries |
Travel giants Booking.com and Skyscanner are heading towards a zero-password future. They’re currently in the process of phasing out password fields, in favour of email-based OTPs. No stored passwords. No reset links. Just secure, session-based authentication that aligns with industry best practice frameworks – something Rezcomm has championed from the outset.
Other major players including Expedia Group, Singapore Airlines, Click Travel, Airbnb, and SpiceJet are also embracing OTPs to strengthen authentication. However, in most cases, they’ve added them as a secondary authentication layer, enhancing, rather than replacing, traditional passwords or alternative access like social logins.
The decision by Booking.com and Skyscanner to go passwordless is a clear sign that regulatory standards and user expectations are evolving. Under PCI DSS 4.0, static passwords used in isolation are no longer compliant. By switching to OTPs, these platforms are prioritising:
As with any major shift, there’s a learning curve. Like Rezcomm, these travel brands have encountered initial customer friction, but they’re taking proactive steps to ease the transition:
The message is clear: convenience should never come at the cost of security.
At Rezcomm, we’ve never been afraid to do things differently, implementing OTP as a primary login method early on. It wasn’t just about meeting compliance standards but also building user confidence, maintaining platform integrity and simplifying operations for both passengers and operators. Our decision was grounded in long-term thinking, futureproofing, and anticipating where the industry was heading.
Today, our clients benefit from:
As major travel brands follow suit, it reinforces what we’ve always believed: secure, frictionless access is fundamental to a future-ready platform.
For airport and travel operators, zero-password login designs aren’t just a technical upgrade but a strategic advantage. Transitioning from traditional static passwords to OTP-based authentication creates a smoother, faster login experience for customers, reducing frustration and drop-off during key moments in the customer journey. And we all know: a frictionless experience leads to happier customers who spend more, stay loyal, and return time and time again.
With fewer support requests for forgotten passwords and account resets, back-end operational teams also benefit from reduced admin and improved efficiency.
As consumer expectations around digital convenience and data security continue to evolve, having a speedy, intuitive and secure login system is something businesses must prioritise – and quickly. Adopting future-ready authentication shows customers that their data security and experience truly matters, building trust and confidence.
Rezcomm’s early move to OTP wasn’t about standing out for the sake of it. It was a considered, forward-thinking decision that reflects a broader industry evolution. We’re proud to help our clients lead with confidence, aligning with emerging standards while delivering an intuitive, secure experience.
As leading travel brands transition to OTP-first authentication, it’s clear that passwordless login is fast becoming the industry norm – not just for PCI compliance, but for better security, smoother experiences, and operational efficiency.
If you’re currently evaluating your login flows or planning for upcoming compliance changes, now is the time to explore future-proofed, OTP-based solutions.
Interested in learning more about Rezcomm’s approach and seeing how our frictionless login model supports compliance and customer satisfaction? Get in touch.
Orchestrating digital strategy, Victoria Wallace is Rezcomm’s Chief Digital Officer. With specialisations ranging from digital marketing and CRM to UX design and ecommerce, she is an expert in integrating innovation and technology to deliver outstanding results in sectors like travel, parking, and airports.