--- url: 'https://www.corbado.com/blog/rbi-2fa-directives' title: '2FA Changes by Reserve Bank of India to phase out SMS OTP' description: 'Learn why the Reserve Bank of India introduces 2FA changes in its latest directive. Learn why passkeys are the better & more secure alternative to SMS OTPs.' lang: 'en' author: 'Alex' date: '2025-10-05T17:16:05.382Z' lastModified: '2026-03-27T07:01:49.037Z' keywords: 'RBI 2FA changes 2025, RBI authentication guidelines, RBI digital payment security, SMS OTP alternatives India, Two-factor authentication India, Multi-factor authentication RBI, SIM swap fraud India, Aadhaar payment fraud, RBI compliance deadlines' category: 'Authentication' --- # 2FA Changes by Reserve Bank of India to phase out SMS OTP ## Key Facts - The **RBI Authentication Directions, 2025** expands 2FA beyond SMS OTP, requiring device-bound alternatives for all domestic digital payment transactions by April 1, 2026. - **SIM swap fraud** cost victims nearly USD 50 million in 2023, prompting the RBI to move authentication from the vulnerable telecom network to secured device hardware. - **AePS fingerprint cloning** demonstrated that biometrics alone are insufficient without a second factor, creating a systemic gap until a centralized ATO registry is established. - **Risk-Based Authentication** permits streamlined flows for low-risk contactless payments under ₹5,000, while requiring full 2FA for anomalous or high-value transactions. ## 1. Introduction: Growth of Digital Payment Fraud in India India’s digital [payments](https://www.corbado.com/passkeys-for-payment) sector has experienced explosive growth, demonstrating financial inclusion and access. Total digital [payment](https://www.corbado.com/passkeys-for-payment) transactions, including those through the Unified [Payment](https://www.corbado.com/passkeys-for-payment) Interface (UPI), surged consistently. This immense scale, while economically beneficial, has also created a growth in the attack surface available to cybercriminals. While the number of reported fraud incidents involving banks saw a decrease in FY25, the aggregated amount involved in these frauds dramatically increased. This metric is critical as it suggests that basic, high-volume, low-value fraud attempts may be declining, but high-value, sophisticated attacks that successfully bypass existing controls are on the rise. Because of that the RBI has initiated a comprehensive regulatory overhaul of transaction security, building up to the issuance of the **Authentication Mechanisms for Digital Payment Transactions Directions, 2025**. This directive requires stronger authentication mechanisms and encourages financial institutions to adopt more robust, device-bound alternatives to SMS-based One-Time-Passwords (OTPs) as the primary Additional Factor of Authentication (AFA). However, it's important to note that the RBI has clarified this framework does not mandate the discontinuation of SMS OTPs—rather, it expands acceptable authentication options to include significantly more robust, dynamic [Two-Factor Authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security) (2FA) and Multi-Factor Authentication (MFA) solutions. In this blog we are going to answer the following questions associated with strengthening digital payment authentication: 1. Why are SMS OTPs not optimal in security and user experience and what alternatives does the Reserve Bank of India encourage? 2. What are the secure authentication alternatives that provide better security alongside or instead of SMS OTPs? 3. What are the compliance deadlines and requirements in the RBI Directions? ## 2. Inherent Weaknesses of SMS-Based OTPs The reliance on SMS-based OTPs as the primary second factor for digital transactions has been deemed an insufficient security measure in the face of modern cyber threats, even though it is currently one of the most used second factors in india´s financial sector. First, SMS-OTPs are susceptible to interception and social engineering. Because SMS relies on the [telecommunications](https://www.corbado.com/blog/telstra-passkeys) network, the transmission of the authentication factor occurs outside the secure perimeter controlled by the financial institution. Fraudsters have become adept at using social engineering tactics to manipulate customers into unknowingly revealing the OTP or initiating unauthorized transactions. Furthermore, OTPs are entirely ineffective against Authorized Push [Payment](https://www.corbado.com/passkeys-for-payment) (APP) fraud, where the customer, deceived by a fraudster, voluntarily authorizes the payment, rendering the OTP merely a tool of the crime. Second, SMS delivery faces inherent operational and reliability issues. Customers in areas with poor network coverage or those traveling internationally without roaming access often face difficulties receiving or accessing the required OTP, leading to transaction failures and poor user experience. The widespread reliance on this single channel not only increases risk but also degrades service quality, prompting the central bank to push for dependable, device-centric alternatives. ### 2.1 The SIM Swap Fraud Crisis [SIM swap](https://www.corbado.com/glossary/sim-swap) fraud is one of the core trends necessitating the move away from SMS. The mechanism involves fraudsters deceiving a [telecom](https://www.corbado.com/passkeys-for-telecom) provider into transferring a victim's phone number to a new, unauthorized SIM card controlled by the criminal. Once the number is hijacked, the fraudster intercepts the crucial SMS-OTP, gaining unauthorized access to the victim’s bank accounts, cryptocurrency platforms, and other sensitive digital accounts. The scale of this threat is international, with the FBI investigating 1,075 [SIM swap](https://www.corbado.com/glossary/sim-swap) attacks in 2023, resulting in nearly $50 million in losses. The RBI’s push for non-SMS alternatives directly targets this [telecom](https://www.corbado.com/passkeys-for-telecom)-level [vulnerability](https://www.corbado.com/glossary/vulnerability), advocating for authentication methods that cannot be compromised by a phone number hijack. ### 2.2 Aadhaar Enabled Payment System (AePS) Fraud Another major concern India is facing lies in the exploitation of the Aadhaar Enabled Payment System (AePS). While AePS utilizes biometrics (Aadhaar), which should, theoretically, constitute a strong factor, the system has been compromised through sophisticated techniques like the silicon cloning of fingerprints. This problem is compounded because the initial AePS implementation often lacked a required second authentication factor, fundamentally undermining the security premise of using biometrics alone. The RBI’s subsequent response has been to mandate rigorous measures for acquiring banks, including mandatory Know Your Customer (KYC) and due diligence for all AePS touchpoint operators (ATOs). Furthermore, banks must review the integration of their AePS architecture with their Enterprise Fraud Risk Management Systems (EFRMS) and Security Information and Event Management (SIEM) solutions. A critical analysis of the AePS [vulnerability](https://www.corbado.com/glossary/vulnerability) highlights a systemic gap in the ecosystem. Under the RBI's framework, [issuers](https://www.corbado.com/glossary/issuer) bear significant responsibility for compliance and must compensate customers for losses arising from non-compliance, while acquiring banks have obligations for due diligence on AePS touchpoint operators. However, the current regulatory structure lacks a national, centralized platform to monitor and flag non-compliant ATOs. This structural flaw allows fraudulent ATOs, once banned by one institution, to easily re-enter the system using altered identities through a different bank. Consequently, even as individual banks strengthen their internal defenses, the inherent systemic [vulnerability](https://www.corbado.com/glossary/vulnerability) remains until a [centralized identity](https://www.corbado.com/blog/digital-identity-guide) registry for payment agents is instituted to address cross-institutional fraud. The requirement that the Additional Factor of Authentication (AFA) must be robust and dynamically generated for each transaction is a direct response to these evolving threats. By ensuring the factor cannot be reused, the RBI renders intercepted OTPs or static credentials useless for subsequent transactions. This regulatory action strategically moves the core security perimeter from the external, vulnerable [telecom](https://www.corbado.com/passkeys-for-telecom) network to the secure, attested hardware of the user’s device, significantly raising the assurance level of the authentication process. ## 3. The Regulatory Framework behind RBI´s 2025 Directives The regulatory foundation for this systemic shift is the RBI (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, which establishes clear mandates, defines the affected entities, and sets binding compliance deadlines. ![RBI-header.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/RBI_header_7e363ce889.png) ![RBI-direction.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/RBI_direction_5c32c5c2a6.png) ### 3.1 Core Authentication Principles mandated by RBI The central objective is the mandatory application of [Two-Factor Authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security) (2FA) for all domestic digital payment transactions. This aligns with global best practices that recognize that security is significantly enhanced when factors are drawn from different, unrelated categories. The RBI has explicitly outlined the three acceptable factor categories: 1. Something the User Knows (Knowledge): Passwords, Passphrases, or PINs. 2. Something the User Has (Possession): Card hardware, software tokens, or device-bound cryptographic tokens. 3. Something the User Is (Inherence): Fingerprint recognition, facial recognition, or other forms of biometrics (device-native or Aadhaar-based). The directions mandate that the AFA must be dynamic, meaning it must be robustly generated for each specific transaction, ensuring non-reusability. While [2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security) is mandatory, the directions allow for exemptions for certain low-value transactions, such as small contactless card [payments](https://www.corbado.com/passkeys-for-payment) up to ₹5,000, provided sophisticated risk-based checks are simultaneously implemented. ### 3.2 Scope of Applicability The responsibility for compliance is broad, encompassing all operational layers of the Indian financial technology sector. The directives apply to **all Payment System Providers and Participants**, including banks and non-bank entities involved in executing domestic digital transactions. This includes, but is not limited to, card [issuers](https://www.corbado.com/glossary/issuer), payment aggregators, PPI [issuers](https://www.corbado.com/glossary/issuer), and UPI participants. Furthermore, the compliance **requirements extend vertically to third-party relationships**. As per the RBI Master Direction on Outsourcing of Information Technology Services (April 2023), Regulated Entities (REs) must ensure their outsourced service providers, including cloud service providers, adopt all stipulated governance and security controls. This ensures that sensitive records remain available to the RE and the RBI, even in the event of liquidation of the service provider, and mandates the RBI’s right to direct and conduct audits or inspections of the service provider’s infrastructure. ### 3.3 Critical Compliance Deadlines and Interconnected Mandates Regulated Entities face several immediate and interconnected deadlines that require coordinated, high-priority project management. #### 3.3.1 Regulatory Compliance Timelines for Authentication Overhaul | Mandate Category | Required Action | Compliance Deadline | Key RBI Directive Reference | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------- | ------------------- | ----------------------------------------------- | | Domestic Digital Transactions | Full implementation of minimum Two-Factor Authentication (2FA) standards (e.g., Biometrics, App Tokens) | April 1, 2026 | Digital Payment Authentication Directions, 2025 | | Cross-Border CNP Transactions | Implementation of validation mechanisms and risk-based controls for non-recurring Card-Not-Present (CNP) transactions | October 1, 2026 | Digital Payment Authentication Directions, 2025 | | Digital Banking Domain Modernization | Migration of existing digital banking domains to the secure and exclusive .bank.in domain | October 31, 2025 | RBI Circular (April 22, 2025) | #### 3.3.2 Strategic Interdependencies in Compliance The RBI’s regulatory approach is holistic, aiming to secure the digital perimeter from multiple angles simultaneously. The mandate to shift all digital [banking](https://www.corbado.com/passkeys-for-banking) domains to the exclusive .bank.in domain by October 31, 2025, is part of this preemptive cybersecurity measure. By restricting the domain space, the RBI drastically reduces the effectiveness of [phishing](https://www.corbado.com/glossary/phishing), spoofing, and fake [banking](https://www.corbado.com/passkeys-for-banking) websites, thereby securing the initial point of customer contact before the [2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security) process is even initiated. The extended deadline for cross-border Card-Not-Present (CNP) transactions (October 1, 2026) recognizes the complexity involved in coordinating with international card networks and aligning transaction processes with global standards. This provision requires issuers to register their Bank Identification Numbers (BINs) and implement specific risk-based controls to validate these transactions, asserting greater domestic control and oversight over international payment security. ## 4. Approved Alternatives to OTP The slow shift away from SMS-OTP forces regulated entities to adopt sophisticated, dynamic authentication mechanisms that fulfill the three core factor requirements (Know, Have, Is). The RBI framework strongly favors solutions that leverage cryptographic security and device [attestation](https://www.corbado.com/glossary/attestation), like for example passkeys. ### 4.1 App-Based Software Token Solutions App-based authentication, often utilizing software tokens, is one alternative to SMS-OTP. This method involves generating or approving the AFA via a trusted application that resides securely on the user's mobile device. The fundamental security advantage is that the cryptographic keys are bound to the specific device and the authentication mechanism never relies on the vulnerable public telecom network, making it inherently resistant to [SIM swap](https://www.corbado.com/glossary/sim-swap) and interception fraud. Modern implementations often use push notifications, allowing users to approve transactions with a single, secure tap, significantly enhancing the user experience while maintaining compliance with dynamic authentication requirements. Crucially, the RBI mandates that authentication and tokenization services must be interoperable and accessible across platforms and applications. This requirement forces the adoption of open standards or widely supported protocols, ensuring that the new authentication infrastructure supports India's multi-platform payment ecosystem. ### 4.2 Biometric Authentication and Aadhaar Integration Biometrics, using "something the user is", provides a high-assurance factor when implemented correctly. #### 4.2.1 Device-Native Biometrics This involves using authentication mechanisms inherent to the mobile device, such as fingerprint or facial recognition, where the biometric data is processed within a secure element (Trusted Execution Environment or [Secure Enclave](https://www.corbado.com/glossary/secure-enclave)). This method provides a high level of security and convenience, minimizing user friction. #### 4.2.2 Aadhaar-Based Biometrics India’s [digital identity](https://www.corbado.com/blog/digital-identity-guide) infrastructure (Aadhaar, as part of the JAM Trinity) remains a part of the authentication ecosystem, with authentication volumes exceeding 2.11 billion in a single month as of May 2025. However, the AePS fraud incidents demonstrate that even a strong biometric factor is insufficient without a robust second factor and stringent governance. Consequently, REs leveraging Aadhaar for payment services must adhere to enhanced due diligence requirements and integrate these platforms fully into their EFRMS architecture to prevent identity spoofing. ### 4.3 Superior Cryptographic Standards: Passkeys The most advanced solutions aligning with the RBI’s dynamic and robust [2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security) requirement are those based on the Fast Identity Online (FIDO) Alliance standards, including the adoption of Passkeys. The [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance) submitted input to the RBI in December 2024, advocating for these modern authentication mechanisms. Passkeys fundamentally shift authentication to public-key cryptography, where the user’s key is stored securely on the device (Possession) and unlocked using biometrics or a PIN (Inherence/Knowledge), effectively achieving highly [phishing](https://www.corbado.com/glossary/phishing)-resistant 2FA in a single, streamlined user action. FIDO standards have matured to the point where they address the previous high burdens and costs associated with traditional MFA. They utilize hardware architectures to securely isolate the cryptographic keys. This ensures that the "something the user has" factor is the cryptographically secured device, rather than the easily hijacked SIM card. This technological pivot places the security anchor on the attested device hardware, making it extremely difficult to extract or spoof the authentication factor remotely, thus providing an authentication assurance level that is far superior to SMS-OTP. While it is currently at the discretion of each financial institution which [Two-Factor Authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security) (2FA) method to implement, global compliance developments clearly indicate that there will be no way around passkeys in the near future. Several key reasons support this trend: - **Passkeys provide the highest level of security** due to their built-in [phishing](https://www.corbado.com/glossary/phishing) resistance. Because each passkey is cryptographically bound to the service and device, it cannot be intercepted, reused, or manipulated. Even if a user attempted to share or reuse credentials in a phishing scenario, it would be technically impossible since the design of passkeys prevents it by default. This makes them the most secure and fraud-resistant 2FA method available. - **Passkeys also deliver the best user experience** among all multi-factor authentication methods. Unlike SMS codes or one-time passwords that require manual entry or secondary devices, passkeys authenticate users through simple biometric verification or device unlock, without additional steps. This combination of high security and ease of use transforms authentication from a tedious obligation into a seamless, user-friendly experience. ## 5. Strategic Navigation and Compliance Roadmap The transition to RBI’s new authentication framework by the April 1, 2026, deadline requires a strategic approach encompassing technology overhaul, organizational change, and consumer management. ### 5.1 Adopting a Risk-Based Authentication (RBA) Model Achieving compliance while minimizing customer friction is dependent on the effective deployment of Risk-Based Authentication (RBA). The RBI guidelines promote this dynamic, contextual approach. RBA utilizes sophisticated analysis of transaction parameters, including user behavior, geolocation, device identification, and transaction history, to dynamically assess risk severity. For low-risk, habitual transactions, RBA can permit a streamlined authentication process, avoiding unnecessary friction. Conversely, high-risk scenarios, such as transactions exceeding predefined limits, first-time [payments](https://www.corbado.com/passkeys-for-payment), or activity originating from anomalous geographical locations, must automatically trigger the deployment of the most robust, explicit 2FA mechanisms (e.g., biometric confirmation via a FIDO-enabled passkey). This requires REs to integrate high-fidelity risk assessment engines directly into their payment flow, feeding continuous data into their existing Enterprise Fraud Risk Management Systems (EFRMS). RBA is therefore not merely a security feature; it is a critical tool for operational efficiency and customer experience management, ensuring that security measures are proportionate to the threat. ### 5.2 Technical and Infrastructure Overhaul Requirements The migration necessitates a technical redesign of existing core [banking](https://www.corbado.com/passkeys-for-banking) and payment processing systems. #### 5.2.1 Architecture Redesign and Interoperability Banks and fintechs must redesign their legacy authentication architecture to integrate solutions that support the mandatory interoperability standard. This ensures that app-based validation or tokenization methods function smoothly across various payment platforms and networks, essential for the UPI and card ecosystems. #### 5.2.2 Governance and Outsourcing Controls Regulated entities must enforce the terms of the Master Direction on Outsourcing. This means conducting thorough due diligence and maintaining the right to audit and inspect the security controls of outsourced providers, particularly cloud services, to ensure compliance with RBI standards for confidentiality and data availability. For the AePS ecosystem, the technical overhaul requires implementing stricter controls for Application Programming Interface (API) usage and mandated alignment with Security Information and Event Management (SIEM) systems. The strategic focus must be on strengthening the due diligence and periodic [KYC](https://www.corbado.com/blog/iso-18013-7-mdl-bank-kyc-onboarding) updates for all AePS operators to mitigate ATO-related fraud. ## 6. Conclusion In conclusion, the RBI's 2025 Directions mark a decisive step toward strengthening digital payment authentication by expanding beyond traditional SMS-OTP and promoting modern, dynamic, and device-bound security methods. By setting clear deadlines, emphasizing interoperability, and encouraging solutions such as app-based tokens, biometrics, and FIDO passkeys, the framework not only strengthens India's defenses against sophisticated fraud but also improves reliability and user experience. For banks, fintechs, and payment providers, the transition is both a regulatory mandate and a strategic opportunity to modernize their authentication systems, build customer trust, and align with global best practices in digital security. 1. **Why are SMS OTPs not optimal in security and user experience and are therefore expanded by other 2FA methods by the Reserve Bank of India?** SMS OTPs are insecure because they can be intercepted, exploited through SIM swaps and social engineering, fail against APP fraud, and often suffer from delivery issues, leading the RBI to require stronger 2FA methods. 2. **What are the secure authentication alternatives that provide better security alongside or instead of SMS OTPs?** The RBI framework encourages passkeys (as the best phishing-resistant authentication method), since they represent the gold standard of future authentication. Apart from that, app-based tokens, device-native or Aadhaar biometrics with liveness check are also approved alternatives. 3. **What are the compliance deadlines and requirements the RBI claims?** The RBI Directions, 2025 mandate 2FA for all domestic digital payments by April 1, 2026, migration of digital banking domains to .bank.in by October 31, 2025, and risk-based controls for cross-border [CNP](https://www.corbado.com/glossary/cnp) transactions by October 1, 2026. ## Frequently Asked Questions ### What are all the compliance deadlines financial institutions must meet under the RBI's 2025 Authentication Directions? Three deadlines apply: migration of digital banking domains to the exclusive .bank.in domain by October 31, 2025; full 2FA implementation for domestic digital payments by April 1, 2026; and risk-based controls for cross-border Card-Not-Present transactions by October 1, 2026. All Payment System Providers and Participants, including non-bank entities, must comply. ### Why is the RBI requiring banks to migrate to .bank.in domains and how does this connect to the authentication overhaul? The .bank.in migration deadline of October 31, 2025 is a complementary phishing and spoofing countermeasure. By restricting the domain space before the 2FA deadline, the RBI secures the initial customer contact point, preventing fraudsters from impersonating banks before authentication even begins. ### Why are SMS OTPs ineffective against Authorized Push Payment fraud in Indian digital payments? In Authorized Push Payment fraud, a deceived customer voluntarily authorizes the transaction, making the OTP a tool of the crime rather than a safeguard. The RBI's response requires dynamic, device-bound authentication factors, including app-based tokens and FIDO-based credentials, which cannot be bypassed through social engineering. ### What specific authentication methods does the RBI's 2025 framework approve as alternatives to SMS OTP? The framework approves three factor categories: something known (passwords or PINs), something possessed (device-bound cryptographic tokens or app-based software tokens) and something inherent (device-native biometrics or Aadhaar-based biometrics with liveness checks). The FIDO Alliance submitted input to the RBI in December 2024 advocating passkeys, which satisfy both possession and inherence factors in a single action.