RBI to end OTP era; mandates flexible two-factor authentication for all digital payments by next year

The Reserve Bank of India is phasing out its long-standing reliance on SMS-based one-time passwords (OTP), moving the country’s entire digital payments industry to a broader, risk-based framework for two-factor authentication (2FA).

Starting April 2026, all domestic digital payments—from UPI to online card transactions—must be verified with at least two factors. RBI has refused to dictate which ones, giving banks and payment firms the freedom to innovate. The only non-negotiable: for anything outside “card-present” transactions, one of the factors has to be dynamic and unique for each payment.

India’s digital payments boom has leaned heavily on text-message OTPs for the past decade, creating what industry players now call an “OTP monoculture”. This made payments vulnerable to SIM swaps, SMS outages, and an ecosystem of vendors extracting revenue from OTP traffic.

By not prescribing SMS, biometrics, or any single method, the RBI is pushing issuers toward more flexible authentication, including device-native biometrics, passkeys, and cryptographic tokens.

“This is a long-awaited and welcome clarification from the RBI on 2FA guidelines, revisiting the original circular issued a decade ago. At that time, SMS OTP was the only available method. With the advent of technologies like Silent Network Authentication (SNA), Passkeys, and SIM-based authentication, the older guidelines have become outdated," said Bhavik Koladiya, CEO, OTPless.

Issuers are now allowed to layer in contextual checks such as device ID, geolocation, user behaviour, and historical patterns. For high-risk transactions, the RBI suggests using DigiLocker to push real-time confirmations. The central bank’s bet is that customers will face fewer clunky prompts when risk is low, while still enjoying stronger security when it counts.

"Importantly, the RBI has clarified that verifying the same knowledge factor (e.g., a password) twice does not constitute 2FA. True 2FA requires validating both knowledge (something you know) and possession (something you have)—where knowledge is static shareable pin/password and possession is dynamically tied to your device and SIM," said Koladiya.

Also Read

New RBI rulebook opens agent-assisted KYC route for payment aggregators

"The recently released directions strike an important balance between consumer security and innovation. We truly appreciate the regulator’s consideration of industry feedback. The clarity and flexibility provided will enable issuers and payment players to embrace next-generation tools like biometrics, tokenisation, and contextual risk checks," said Vishwas Patel, Chair, Payments Council of India & Jt. Managing Director, Infibeam Avenues, said.

"By keeping security at the core, the RBI has paved the way for a safer, simpler, and more inclusive digital payments experience for both consumers and businesses," he added.

The rules apply only to domestic transactions. For cross-border card-not-present purchases, issuers have until October 2026 to roll out additional validation layers. Until then, the old OTP-heavy framework will be used for international spending.

“RBI by mandating risk-based checks in its latest directions has formalised a framework that encourages a variety of authentication mechanisms beyond just SMS-based OTPs. The specific requirement for validating an additional factor of authentication in cross-border card-not-present transactions is a critical step to increase trust and reduce risks, which will ultimately benefit both businesses and their customers," said Sanjay Tripathy, CEO & Co-Founder, BRISKPE, a cross-border payments platform.

"It provides a clear, uniform standard that aligns with global best practices and will strengthen India's position in the international digital payments landscape. The move will foster a more robust and compliant ecosystem, ensuring smoother and more secure cross-border transactions for all,” he added.