2FA Changes by Reserve Bank of India to phase out SMS OTP

India’s digital payments sector has experienced explosive growth, demonstrating financial inclusion and access. Total digital payment transactions, including those through the Unified Payment Interface (UPI), surged consistently. This immense scale, while economically beneficial, has also created a growth in the attack surface available to cybercriminals.

While the number of reported fraud incidents involving banks saw a decrease in FY25, the aggregated amount involved in these frauds dramatically increased. This metric is critical as it suggests that basic, high-volume, low-value fraud attempts may be declining, but high-value, sophisticated attacks that successfully bypass existing controls are on the rise.

Because of that the RBI has initiated a comprehensive regulatory overhaul of transaction security, building up to the issuance of the Authentication Mechanisms for Digital Payment Transactions Directions, 2025. This directive mandates a decisive move on from SMS-based One-Time-Passwords (OTPs) as the primary Additional Factor of Authentication (AFA) toward significantly more robust, dynamic Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) solutions (similar to the phase out in the UAE). In this blog we are going to answer the following questions associated with the topic of the phase-out:

1. Why are SMS OTPs not optimal in security and user experience and are therefore expanded by other 2FA methods by the Reserve Bank of India?

2. What are the secure authentication alternatives that will replace SMS OTPs and provide better security?

3. What are the compliance deadlines and requirements the RBI claims?

The reliance on SMS-based OTPs as the primary second factor for digital transactions has been deemed an insufficient security measure in the face of modern cyber threats, even though it is currently one of the most used second factors in india´s financial sector.

First, SMS-OTPs are susceptible to interception and social engineering. Because SMS relies on the telecommunications network, the transmission of the authentication factor occurs outside the secure perimeter controlled by the financial institution. Fraudsters have become adept at using social engineering tactics to manipulate customers into unknowingly revealing the OTP or initiating unauthorized transactions. Furthermore, OTPs are entirely ineffective against Authorized Push Payment (APP) fraud, where the customer, deceived by a fraudster, voluntarily authorizes the payment, rendering the OTP merely a tool of the crime.

Second, SMS delivery faces inherent operational and reliability issues. Customers in areas with poor network coverage or those traveling internationally without roaming access often face difficulties receiving or accessing the required OTP, leading to transaction failures and poor user experience. The widespread reliance on this single channel not only increases risk but also degrades service quality, prompting the central bank to push for dependable, device-centric alternatives.

SIM swap fraud is one of the core trends necessitating the move away from SMS. The mechanism involves fraudsters deceiving a telecom provider into transferring a victim's phone number to a new, unauthorized SIM card controlled by the criminal. Once the number is hijacked, the fraudster intercepts the crucial SMS-OTP, gaining unauthorized access to the victim’s bank accounts, cryptocurrency platforms, and other sensitive digital accounts. The scale of this threat is international, with the FBI investigating 1,075 SIM swap attacks in 2023, resulting in nearly $50 million in losses. The RBI’s push for non-SMS alternatives directly targets this telecom-level vulnerability, advocating for authentication methods that cannot be compromised by a phone number hijack.

Another major concern India is facing lies in the exploitation of the Aadhaar Enabled Payment System (AePS). While AePS utilizes biometrics (Aadhaar), which should, theoretically, constitute a strong factor, the system has been compromised through sophisticated techniques like the silicon cloning of fingerprints. This problem is compounded because the initial AePS implementation often lacked a required second authentication factor, fundamentally undermining the security premise of using biometrics alone.

The RBI’s subsequent response has been to mandate rigorous measures for acquiring banks, including mandatory Know Your Customer (KYC) and due diligence for all AePS touchpoint operators (ATOs). Furthermore, banks must review the integration of their AePS architecture with their Enterprise Fraud Risk Management Systems (EFRMS) and Security Information and Event Management (SIEM) solutions.

A critical analysis of the AePS vulnerability highlights a systemic gap in the ecosystem. While the RBI correctly places full ownership and liability for unauthorized transactions on the acquiring banks, the current regulatory structure lacks a national, centralized platform to monitor and flag non-compliant ATOs. This structural flaw allows fraudulent ATOs, once banned by one institution, to easily re-enter the system using altered identities through a different bank. Consequently, even as individual banks strengthen their internal defenses, the inherent systemic vulnerability remains, leaving the banking sector liable until a centralized identity registry for payment agents is instituted to address cross-institutional fraud.

The requirement that the Additional Factor of Authentication (AFA) must be robust and dynamically generated for each transaction is a direct response to these evolving threats. By ensuring the factor cannot be reused, the RBI renders intercepted OTPs or static credentials useless for subsequent transactions. This regulatory action strategically moves the core security perimeter from the external, vulnerable telecom network to the secure, attested hardware of the user’s device, significantly raising the assurance level of the authentication process.

The regulatory foundation for this systemic shift is the RBI (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, which establishes clear mandates, defines the affected entities, and sets binding compliance deadlines.

The central objective is the mandatory application of Two-Factor Authentication (2FA) for all domestic digital payment transactions. This aligns with global best practices that recognize that security is significantly enhanced when factors are drawn from different, unrelated categories.

The RBI has explicitly outlined the three acceptable factor categories:

1. Something the User Knows (Knowledge): Passwords, Passphrases, or PINs.

2. Something the User Has (Possession): Card hardware, software tokens, or device-bound cryptographic tokens.

3. Something the User Is (Inherence): Fingerprint recognition, facial recognition, or other forms of biometrics (device-native or Aadhaar-based).

The directions mandate that the AFA must be dynamic, meaning it must be robustly generated for each specific transaction, ensuring non-reusability. While 2FA is mandatory, the directions allow for exemptions for certain low-value transactions, such as small contactless card payments up to ₹5,000, provided sophisticated risk-based checks are simultaneously implemented.

The responsibility for compliance is broad, encompassing all operational layers of the Indian financial technology sector.

The directives apply to all Payment System Providers and Participants, including banks and non-bank entities involved in executing domestic digital transactions. This includes, but is not limited to, card issuers, payment aggregators, PPI issuers, and UPI participants.

Furthermore, the compliance requirements extend vertically to third-party relationships. As per the RBI Master Direction on Outsourcing of Information Technology Services (April 2023), Regulated Entities (REs) must ensure their outsourced service providers, including cloud service providers, adopt all stipulated governance and security controls. This ensures that sensitive records remain available to the RE and the RBI, even in the event of liquidation of the service provider, and mandates the RBI’s right to direct and conduct audits or inspections of the service provider’s infrastructure.

Regulated Entities face several immediate and interconnected deadlines that require coordinated, high-priority project management.

The RBI’s regulatory approach is holistic, aiming to secure the digital perimeter from multiple angles simultaneously. The mandate to shift all digital banking domains to the exclusive .bank.in domain by October 31, 2025, is part of this preemptive cybersecurity measure. By restricting the domain space, the RBI drastically reduces the effectiveness of phishing, spoofing, and fake banking websites, thereby securing the initial point of customer contact before the 2FA process is even initiated.

The extended deadline for cross-border Card-Not-Present (CNP) transactions (October 1, 2026) recognizes the complexity involved in coordinating with international card networks and aligning transaction processes with global standards. This provision requires issuers to register their Bank Identification Numbers (BINs) and implement specific risk-based controls to validate these transactions, asserting greater domestic control and oversight over international payment security.

The slow shift away from SMS-OTP forces regulated entities to adopt sophisticated, dynamic authentication mechanisms that fulfill the three core factor requirements (Know, Have, Is). The RBI framework strongly favors solutions that leverage cryptographic security and device attestation, like for example passkeys.

App-based authentication, often utilizing software tokens, is one alternative to SMS-OTP. This method involves generating or approving the AFA via a trusted application that resides securely on the user's mobile device.

The fundamental security advantage is that the cryptographic keys are bound to the specific device and the authentication mechanism never relies on the vulnerable public telecom network, making it inherently resistant to SIM swap and interception fraud. Modern implementations often use push notifications, allowing users to approve transactions with a single, secure tap, significantly enhancing the user experience while maintaining compliance with dynamic authentication requirements.

Crucially, the RBI mandates that authentication and tokenization services must be interoperable and accessible across platforms and applications. This requirement forces the adoption of open standards or widely supported protocols, ensuring that the new authentication infrastructure supports India's multi-platform payment ecosystem.

Biometrics, using "something the user is", provides a high-assurance factor when implemented correctly.

This involves using authentication mechanisms inherent to the mobile device, such as fingerprint or facial recognition, where the biometric data is processed within a secure element (Trusted Execution Environment or Secure Enclave). This method provides a high level of security and convenience, minimizing user friction.

India’s digital identity infrastructure (Aadhaar, as part of the JAM Trinity) remains a part of the authentication ecosystem, with authentication volumes exceeding 2.11 billion in a single month as of May 2025. However, the AePS fraud incidents demonstrate that even a strong biometric factor is insufficient without a robust second factor and stringent governance. Consequently, REs leveraging Aadhaar for payment services must adhere to enhanced due diligence requirements and integrate these platforms fully into their EFRMS architecture to prevent identity spoofing.

The most advanced solutions aligning with the RBI’s dynamic and robust 2FA requirement are those based on the Fast Identity Online (FIDO) Alliance standards, including the adoption of Passkeys.

The FIDO Alliance submitted input to the RBI in December 2024, advocating for these modern authentication mechanisms. Passkeys fundamentally shift authentication to public-key cryptography, where the user’s key is stored securely on the device (Possession) and unlocked using biometrics or a PIN (Inherence/Knowledge), effectively achieving highly phishing-resistant 2FA in a single, streamlined user action.

FIDO standards have matured to the point where they address the previous high burdens and costs associated with traditional MFA. They utilize hardware architectures to securely isolate the cryptographic keys. This ensures that the "something the user has" factor is the cryptographically secured device, rather than the easily hijacked SIM card. This technological pivot places the security anchor on the attested device hardware, making it extremely difficult to extract or spoof the authentication factor remotely, thus providing an authentication assurance level that is far superior to SMS-OTP.

While it is currently at the discretion of each financial institution which Two-Factor Authentication (2FA) method to implement, global compliance developments clearly indicate that there will be no way around passkeys in the near future. Several key reasons support this trend:

• Passkeys provide the highest level of security due to their built-in phishing resistance. Because each passkey is cryptographically bound to the service and device, it cannot be intercepted, reused, or manipulated. Even if a user attempted to share or reuse credentials in a phishing scenario, it would be technically impossible since the design of passkeys prevents it by default. This makes them the most secure and fraud-resistant 2FA method available.

• Passkeys also deliver the best user experience among all multi-factor authentication methods. Unlike SMS codes or one-time passwords that require manual entry or secondary devices, passkeys authenticate users through simple biometric verification or device unlock, without additional steps. This combination of high security and ease of use transforms authentication from a tedious obligation into a seamless, user-friendly experience.

The transition to RBI’s new authentication framework by the April 1, 2026, deadline requires a strategic approach encompassing technology overhaul, organizational change, and consumer management.

Achieving compliance while minimizing customer friction is dependent on the effective deployment of Risk-Based Authentication (RBA). The RBI guidelines promote this dynamic, contextual approach. RBA utilizes sophisticated analysis of transaction parameters, including user behavior, geolocation, device identification, and transaction history, to dynamically assess risk severity.

For low-risk, habitual transactions, RBA can permit a streamlined authentication process, avoiding unnecessary friction. Conversely, high-risk scenarios, such as transactions exceeding predefined limits, first-time payments, or activity originating from anomalous geographical locations, must automatically trigger the deployment of the most robust, explicit 2FA mechanisms (e.g., biometric confirmation via a FIDO-enabled passkey).

This requires REs to integrate high-fidelity risk assessment engines directly into their payment flow, feeding continuous data into their existing Enterprise Fraud Risk Management Systems (EFRMS). RBA is therefore not merely a security feature; it is a critical tool for operational efficiency and customer experience management, ensuring that security measures are proportionate to the threat.

The migration necessitates a technical redesign of existing core banking and payment processing systems.

Banks and fintechs must redesign their legacy authentication architecture to integrate solutions that support the mandatory interoperability standard. This ensures that app-based validation or tokenization methods function smoothly across various payment platforms and networks, essential for the UPI and card ecosystems.

Regulated entities must enforce the terms of the Master Direction on Outsourcing. This means conducting thorough due diligence and maintaining the right to audit and inspect the security controls of outsourced providers, particularly cloud services, to ensure compliance with RBI standards for confidentiality and data availability.

For the AePS ecosystem, the technical overhaul requires implementing stricter controls for Application Programming Interface (API) usage and mandated alignment with Security Information and Event Management (SIEM) systems. The strategic focus must be on strengthening the due diligence and periodic KYC updates for all AePS operators to mitigate ATO-related fraud.

In conclusion, the RBI’s 2025 Directions mark a decisive step away from outdated SMS-OTP authentication toward modern, dynamic, and device-bound security methods. By setting clear deadlines, emphasizing interoperability, and promoting solutions such as app-based tokens, biometrics, and FIDO passkeys, the framework not only strengthens India’s defenses against sophisticated fraud but also improves reliability and user experience. For banks, fintechs, and payment providers, the transition is both a regulatory mandate and a strategic opportunity to modernize their authentication systems, build customer trust, and align with global best practices in digital security.

1. Why are SMS OTPs not optimal in security and user experience and are therefore expanded by other 2FA methods by the Reserve Bank of India? SMS OTPs are insecure because they can be intercepted, exploited through SIM swaps and social engineering, fail against APP fraud, and often suffer from delivery issues, leading the RBI to require stronger 2FA methods.

2. What are the secure authentication alternatives that will replace SMS OTPs and provide better security? The RBI endorses passkeys (as the best phishing-resistant authentication method), since they will be the gold standard of future authentication. Apart from that app-based tokens, device-native or Aadhaar biometrics with liveness check are also allowed.

3. What are the compliance deadlines and requirements the RBI claims? The RBI Directions, 2025 mandate 2FA for all domestic digital payments by April 1, 2026, migration of digital banking domains to .bank.in by October 31, 2025, and risk-based controls for cross-border CNP transactions by October 1, 2026.