UAE Banking SMS OTP Phase Out: 2026 Directive Breakdown

The UAE’s financial sector faces pressure from an increasingly sophisticated cyber threat landscape. Cybercriminals now launch around 14,000 cyberattacks every single day targeting the nation’s banking and financial institutions. From 2023 to 2024 alone, ransomware attacks on UAE banks increased by 26%, with major ransomware groups like LockBit and BlackCat routinely demanding multi-million dollar ransoms. As a result, cumulative losses due to cyber incidents across the UAE financial industry have surpassed $2.5 billion since 2020.

One of the key vulnerabilities exploited by cybercriminals is the use of outdated SMS and email-based one-time passwords (OTPs). While SMS OTPs have long been a convenient method for verifying user identities, they’ve become susceptible to modern attack techniques such as SIM-swapping, phishing, and sophisticated interception attacks. Recognizing these escalating risks, the Central Bank of the UAE (CBUAE) has mandated the elimination of SMS and email OTP authentication methods for financial services by March 31, 2026.

In the following blog, we will provide insights for financial institutians and answer the most important questions regarding this regulatory change:

1. Why exactly is the Central Bank of the UAE (CBUAE) requiring the phase-out of SMS/email OTPs?

2. Which modern and secure authentication alternatives should UAE financial institutions implement to stay compliant?

3. How can UAE banks efficiently and realistically navigate this significant transition before the 2026 deadline?

For many years, SMS and email-based one-time passwords (OTPs) have been the default authentication method used by financial institutions worldwide, including banks and fintech providers in the UAE. They were initially chosen for their simplicity and ease of deployment, making them a convenient choice for verifying user identities during transactions or logins. However, today’s reality paints a different picture, one characterized by escalating security threats and significant vulnerabilities that cybercriminals have learned to exploit with alarming efficiency.

SMS and email OTPs rely on outdated communication protocols and network infrastructures. They are particularly vulnerable to cyberattacks such as:

• SIM-swapping: Attackers trick telecom providers into assigning a victim’s phone number to a different SIM card, intercepting OTPs sent via SMS.
• SS7 protocol exploits: Hackers exploit weaknesses in mobile telecommunication networks, redirecting or intercepting SMS messages undetected.
• Phishing and spear-phishing attacks: Criminals deceive users into revealing their OTPs, enabling unauthorized account access and fraudulent transactions.

These are not theoretical risks. In 2023 alone, over 40,000 fraud victims in the UAE lost an average of $2,194 each, totaling nearly $87 million. Globally, fraud linked directly to SMS-based OTP vulnerabilities cost enterprises an estimated $6.7 billion in 2023.

Beyond security risks, SMS OTPs are costly and inefficient at scale. Financial institutions typically pay telecom providers for each SMS sent, which quickly becomes a significant recurring expense as the volume of digital transactions continues to rise. Other authentication methods can provide better security and also form a strong business case for cost savings.

Additionally, SMS-based OTPs offer a suboptimal user experience, causing friction as users manually copy codes between messages and banking apps. These interruptions can lead to higher transaction abandonment rates. Furthermore, manual entry errors can lead to repeated failed attempts, frustrating users and increasing operational support costs for financial institutions.

> Read here to see how Corbado helped VicRoads save 50% of SMS OTP traffic by offering passkeys to 5 million customers.

From a compliance perspective, SMS OTPs no longer meet the stringent security expectations established by modern global regulatory frameworks, including the UAE Central Bank’s (CBUAE) latest directive. Regulators increasingly require robust, cryptographic and biometric-based methods that dynamically respond to threats and prevent fraud proactively.

The move away from SMS and email OTPs aligns with similar regulatory measures globally, including recent mandates in Singapore, Malaysia, and Hong Kong, and recommendations from authorities like the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

As the UAE banking sector phases out traditional SMS and email OTPs due to growing cybersecurity threats and regulatory demands, financial institutions need clear guidance on the secure and compliant alternatives they should implement. The Central Bank of the UAE (CBUAE) directive explicitly calls for “robust, risk-based user-authentication technologies.” But what exactly do these entail, and how can UAE banks practically adopt them?

Facial biometrics have emerged as one preferred method due to their combination of user convenience and superior security. Solutions like Emirates Face Recognition leverage advanced AI-powered facial matching technologies that securely verify user identities in real-time. These methods are resistant to common threats such as phishing or SIM swaps, and provide customers a frictionless experience, users simply authenticate by looking at their devices, eliminating manual code entry entirely. However, a key drawback of such proprietary solutions is the dependency on specific vendors and closed ecosystems, which may limit interoperability and raise concerns in highly regulated industries such as banking. Regulatory scrutiny and trust requirements in financial services often demand open, standardized approaches.

(Passkeys for example are a different authentication method that that is developed as an industry-wide standard by the FIDO Alliance, Because of that it offers a vendor-neutral, consistent, and phishing-resistant alternative.)

Other biometric authentication options gaining momentum include fingerprint recognition and voice biometrics.

Soft tokens represent a more secure evolution from SMS OTPs however they are still a nightmare to use for consumers. Instead of receiving a code via text or email, customers authenticate themselves using cryptographically generated codes or digital certificates securely stored and accessed via their mobile banking apps. Unlike SMS-based OTPs, these cryptographic tokens cannot be intercepted by SIM-swapping or SMS interception techniques.

By embedding strong cryptography, soft tokens offer banks significantly enhanced security, meeting stringent regulatory demands, and reducing risks associated with fraud and identity theft. Furthermore, they’re cost-effective, eliminating expensive per-message telecom fees associated with SMS OTPs. The main downside to soft tokens is that they do not offer a seamless user experience for the customer as the authentication process requires use of aditional apps or reading out of push notifications which is the maximum of consumer unfriendlieness since customers have to leave the banking app and use other apps.

Passkeys are quickly becoming the global gold standard for secure, phishing-resistant multi-factor authentication. Based on the FIDO2 (Fast Identity Online) standards, passkeys use cryptographic keys securely stored on customer devices, such as smartphones, laptops, or security keys, to authenticate users without passwords or OTP codes.

Many major financial institutions are actively investing in passkeys, highlighting their practicality, accessibility, and ease of integration. Passkeys represent an independent and user-friendly authentication method, widely preferred by customers due to their familiarity with biometric methods like Face ID and Touch ID.

Key benefits of passkeys:

• Work seamlessly across all browsers without installation
• Compatible with both web and native apps
• Phishing-resistant, reducing reliance on passwords and OTP codes
• Cost-effective to implement and maintain

For UAE banks, adopting passkeys significantly reduces phishing risks and strengthens security, aligning perfectly with CBUAE’s regulatory objectives.

Beyond robust authentication methods, the CBUAE also mandates that financial institutions adopt real-time fraud monitoring systems. Such systems continuously analyze user activity for signs of suspicious behavior or malicious attacks, such as device tampering, session hijacking, or unusual transaction patterns.

When potential fraud is detected, the system immediately suspends active sessions or triggers step-up authentication, protecting customer accounts proactively. Implementing such systems is crucial not only for regulatory compliance but also for minimizing financial losses and preserving customer trust.

With less than a year left until the March 31, 2026 deadline set by the Central Bank of UAE (CBUAE), financial institutions must move quickly with the new authentication requirements. Transitioning away from SMS and email-based OTPs to secure, biometric, cryptographic and risk-based alternatives will involve careful planning, phased execution, and proactive customer communication. Here’s how a realistic and achievable implementation roadmap might look:

• Gap Analysis: Conduct an in-depth review of existing authentication infrastructure, processes, and customer journeys. Identify vulnerabilities, operational inefficiencies, compliance gaps, and technology readiness.
• Strategy and Solution Design: Define a clear strategic approach for replacing SMS and email OTPs. Decide which authentication methods (facial biometrics, soft tokens, passkeys, UAE Pass integration) best align with customer expectations, regulatory demands and internal capabilities.
• Vendor Evaluation and Selection: Evaluate vendors and technology partners offering secure authentication solutions aligned with CBUAE requirements. Critical considerations include scalability, security, ease of integration, customer experience, vendor reliability, and future readiness. Communication Plan Development: Develop an internal and external communication plan outlining the timeline, customer impact, educational content and the transition journey. Inform stakeholders early to minimize disruption and confusion.

• System Integration: Integrate the selected authentication solutions with existing mobile banking apps, customer databases and identity verification platforms (e.g., Emirates ID and UAE Pass). Special emphasis on not migrating any customer data is crucial and speeds up the deployment massively.
• Rigorous Security and Usability Testing: Perform extensive testing to ensure the new authentication methods are secure, reliable and user-friendly. This includes penetration testing, vulnerability assessments and user experience tests.
• Pilot Rollout with Targeted Customer Groups: Launch pilot programs with limited customer groups to test real-world performance, identify potential pain points, and validate user adoption. Gather insights to fine-tune the user experience and technical stability.
• Fraud Monitoring and Real-time Risk Controls Implementation: Integrate new authentication methods with advanced, real-time fraud detection systems, including the capability for automated session suspension and step-up authentication to proactively counter threats.

• Full-Scale Rollout: Expand successful pilots across the entire customer base, replacing SMS and email OTP methods entirely with the new secure authentication mechanisms. Carefully phase this rollout to prevent service disruptions or customer confusion.
• Continuous Customer Communication and Education: Launch clear, targeted, multilingual communication campaigns explaining the new authentication processes and the security benefits. Provide easy-to-follow user guides, FAQs, and self-service support tools to help customers smoothly adopt the new system.
• Staff Training and Internal Readiness: Train internal customer support and technical teams thoroughly on the new authentication systems, troubleshooting procedures, and communication protocols to ensure responsive customer support.
• Compliance and Audit Preparation: Document all implementation steps, security measures, and internal controls to ensure audit readiness. Proactively engage with CBUAE to demonstrate compliance progress and readiness for the March 2026 deadline.

The Central Bank of UAE’s (CBUAE) directive mandating the phase-out of SMS and email-based OTPs by March 2026 brings significant change, not just for financial institutions, but also for the millions of customers who interact with banks daily. Both groups will face new challenges and opportunities as secure, user-friendly authentication becomes the new standard. Here’s what banks and consumers in the UAE should expect:

Transitioning to secure authentication methods such as biometrics, cryptographic soft tokens, passkeys, and UAE Pass integration involves upfront costs, including technology licensing, vendor selection, infrastructure upgrades, and internal training. Banks must also ensure seamless integration with existing customer databases, KYC processes, fraud detection systems, and mobile banking apps.

Despite these initial expenses, moving away from SMS and email OTPs offers substantial long-term financial benefits. Eliminating costly per-message fees paid to telecom providers represents significant savings, especially at scale. More critically, banks will significantly reduce fraud-related losses, given the stronger security posture provided by phishing-resistant authentication methods.

Banks that successfully implement seamless, secure authentication experiences stand to gain competitive advantages. Consumers increasingly expect frictionless, convenient, yet secure interactions with financial institutions. Banks delivering on these expectations can enhance customer loyalty, drive higher transaction completion rates, and position themselves as digital leaders in the UAE banking market.

For UAE consumers, the directive promises meaningful improvements in banking security, convenience and ease of use, but also requires adaptation and awareness:

Replacing SMS and email OTPs with biometric methods (such as facial recognition or fingerprint verification) or cryptographic tokens significantly strengthens protection against common threats like phishing, SIM-swapping, and identity theft. Customers will benefit from reduced vulnerability and increased trust that their banking transactions remain secure.

The new authentication methods, particularly biometrics and passkeys, offer a much smoother, frictionless user experience. Instead of manually entering OTP codes, customers will authenticate themselves seamlessly by simply looking at their smartphone camera, scanning their fingerprint, or using secure tokens stored on their devices. This improved ease-of-use can encourage broader adoption of digital banking services.

However, a major challenge is educating customers about the new authentication processes. Banks must invest proactively in clear, accessible, multilingual communication campaigns explaining the new systems, their security benefits, and step-by-step instructions for use. Special attention should be given to less tech-savvy customers and those unfamiliar with biometric or digital identity technologies, ensuring inclusive adoption.

The Central Bank of UAE’s decision to phase out SMS and email-based OTPs by March 2026 marks a critical turning point for banking and digital security in the UAE. While the directive presents immediate implementation challenges, it also offers a strategic opportunity for banks to significantly enhance customer trust, reduce fraud risks, and deliver superior digital experiences.

Throughout this blog, we’ve explored three key questions essential to understanding and navigating the CBUAE’s new directive:

Why exactly is the CBUAE requiring the phase-out of SMS/email OTPs? SMS and email OTPs have become dangerously vulnerable to SIM-swapping, phishing, and interception attacks, posing significant security risks and financial losses for institutions and customers alike.

Which modern and secure authentication alternatives should financial institutions implement to stay compliant? The best option for Banks would be to transition from SMS OTP to passkeys. Passkeys are the industry gold standard because of their user friendliness and security. Other solutions like the biometric authentication (like facial recognition) and cryptographic soft tokens combined with real-time fraud monitoring are also a solid option

How can UAE banks efficiently and realistically navigate this significant transition before the 2026 deadline? By conducting early assessments, selecting reliable technology partners, deploying phased pilot programs, and prioritizing clear customer communication and education, banks can meet compliance smoothly and on schedule.