Why leading travel brands are moving to Passwordless Login—and what it means for the industry

Let’s be honest…passwords have become a daily hassle.

We’re expected to create complex combinations, including uppercase, lowercase, symbols and numbers. Avoid reusing them. Remember them all. And even then, static passwords remain one of the weakest links in digital security and are alarmingly vulnerable.

With cyberattacks surging in recent years, something had to change.

Now, major travel brands like Booking.com and Skyscanner are ditching the password in favour of One-Time Passcodes (OTP). A smarter, simpler, and most importantly, more secure, way to log in. It’s part of a wider shift across the travel industry, where user expectations are evolving and outdated security just won’t cut it.

OTP-first login isn’t just more robust – it’s faster, easier, and future-ready. At Rezcomm, we recognised this early and built our authentication model around it, aligning with best practices to protect customer data while helping our airport partners stay compliant, confident, and ahead of the curve.

What’s behind the change?

The shift toward OTP-based login isn’t another digital trend. It’s driven by evolving regulatory standards and a need for stronger, more user-friendly security models. Under PCI DSS 4.0, (the latest version of the Payment Card Industry Data Security Standard) static passwords used in isolation are no longer considered compliant. Instead, the framework favours multi-factor authentication (MFA) approaches that reduce reliance on single points of failure.

This change reflects growing concerns around cyber threats such as phishing, brute-force attacks, and widespread password fatigue. Traditional login methods are increasingly vulnerable, both from a technical and human-driven standpoint.

At the same time, user expectations are changing. Today’s mobile-first customers expect fast, seamless access, and OTPs deliver exactly that. They reduce friction, simplify login flows, and result in fewer support queries for operators. The result is a win-win: stronger security and a more intuitive user experience that meets the demands of modern digital journeys.

What is OTP and how does it work?

A one-time password is a temporary, unique code (usually 6 digits) that is generated and sent to a user’s email address or mobile device when they request access to a service that requires authentication. These codes are time-sensitive, often expiring in a matter of minutes, which dramatically reduces the risk of an attacker retrieving the code and gaining unauthorised access.

Here’s how it works:

The user enters their email address to log in to a website or app
The system generates a one-time passcode and sends it to the user’s registered contact method
The user retrieves the code and enters it in the app or site
If valid, the system verifies the code and grants access

Unlike traditional passwords, OTPs are only valid for a single session. If the session expires or the user logs out, a new OTP must be generated for future access. This approach reduces the risk of attacks and enhances security, ensuring a fresh session every time.

Here’s a simple side-by-side comparison chart:

Feature	Static Passwords	One-Time Passcodes (OTPs)
Reuse	Reused across sessions	Valid for a single session only
Vulnerability to attacks	High – prone to phishing & brute-force	Low – time-sensitive, single-use only
User behaviour risk	High – forgotten or reused passwords	Low – no memorisation required
Security compliance (PCI DSS 4.0)	No – non-compliant if used alone	Yes – aligned with MFA standards
Ease of use (mobile users)	Lower – typing passwords on small screens	Higher – quick access via inbox
Support queries (e.g. resets)	Frequent password reset requests	Fewer support queries

Who’s adopting OTP and why?

Travel giants Booking.com and Skyscanner are heading towards a zero-password future. They’re currently in the process of phasing out password fields, in favour of email-based OTPs. No stored passwords. No reset links. Just secure, session-based authentication that aligns with industry best practice frameworks – something Rezcomm has championed from the outset.

Other major players including Expedia Group, Singapore Airlines, Click Travel, Airbnb, and SpiceJet are also embracing OTPs to strengthen authentication. However, in most cases, they’ve added them as a secondary authentication layer, enhancing, rather than replacing, traditional passwords or alternative access like social logins.

The decision by Booking.com and Skyscanner to go passwordless is a clear sign that regulatory standards and user expectations are evolving. Under PCI DSS 4.0, static passwords used in isolation are no longer compliant. By switching to OTPs, these platforms are prioritising:

Stronger security – OTPs reduce risks from phishing, credential stuffing, and session hijacking
Fresh authentication every session – no lingering access vulnerabilities
Simpler UX – users no longer need to remember or reset passwords

As with any major shift, there’s a learning curve. Like Rezcomm, these travel brands have encountered initial customer friction, but they’re taking proactive steps to ease the transition:

Publishing clear, accessible help content to guide users through the new login process
Optimising OTP delivery speeds
Exploring persistent login options for trusted users

The message is clear: convenience should never come at the cost of security.

Rezcomm’s perspective

At Rezcomm, we’ve never been afraid to do things differently, implementing OTP as a primary login method early on. It wasn’t just about meeting compliance standards but also building user confidence, maintaining platform integrity and simplifying operations for both passengers and operators. Our decision was grounded in long-term thinking, futureproofing, and anticipating where the industry was heading.

Today, our clients benefit from:

Optimised OTP delivery speeds for a seamless login experience
Clear, accessible support content to guide users
Optional persistent login solutions to balance security with convenience

As major travel brands follow suit, it reinforces what we’ve always believed: secure, frictionless access is fundamental to a future-ready platform.

What this means for airports and operators

For airport and travel operators, zero-password login designs aren’t just a technical upgrade but a strategic advantage. Transitioning from traditional static passwords to OTP-based authentication creates a smoother, faster login experience for customers, reducing frustration and drop-off during key moments in the customer journey. And we all know: a frictionless experience leads to happier customers who spend more, stay loyal, and return time and time again.

With fewer support requests for forgotten passwords and account resets, back-end operational teams also benefit from reduced admin and improved efficiency.

As consumer expectations around digital convenience and data security continue to evolve, having a speedy, intuitive and secure login system is something businesses must prioritise – and quickly. Adopting future-ready authentication shows customers that their data security and experience truly matters, building trust and confidence.

Rezcomm’s early move to OTP wasn’t about standing out for the sake of it. It was a considered, forward-thinking decision that reflects a broader industry evolution. We’re proud to help our clients lead with confidence, aligning with emerging standards while delivering an intuitive, secure experience.

Passwordless is the future – is your login system ready?

As leading travel brands transition to OTP-first authentication, it’s clear that passwordless login is fast becoming the industry norm – not just for PCI compliance, but for better security, smoother experiences, and operational efficiency.

If you’re currently evaluating your login flows or planning for upcoming compliance changes, now is the time to explore future-proofed, OTP-based solutions.

Interested in learning more about Rezcomm’s approach and seeing how our frictionless login model supports compliance and customer satisfaction? Get in touch.