---
url: 'https://www.corbado.com/blog/uae-banking-otp-phase-out'
title: 'UAE Banking SMS OTP Phase Out: 2026 Directive Breakdown'
description: 'Learn how to stay compliant with the 2026 UAE Banking Directive that phases out SMS and email OTPs and what alternatives, such as passkeys, to roll out.'
lang: 'en'
author: 'Alex'
date: '2025-07-10T16:56:44.127Z'
lastModified: '2026-03-27T07:01:38.054Z'
keywords: 'UAE SMS OTP ban, CBUAE authentication directive, UAE OTP replacement 2026, UAE banking authentication mandate, Biometric authentication UAE, Passkey authentication UAE, Emirates ID integration banking, UAE Pass banking integration, UAE banking compliance '
category: 'Authentication'
---

# UAE Banking SMS OTP Phase Out: 2026 Directive Breakdown

## Key Facts

- The **CBUAE directive** mandates UAE financial institutions eliminate SMS and email OTP
  authentication by March 31, 2026, replacing them with biometric or cryptographic
  alternatives.
- UAE banks face **14,000 cyberattacks daily**, with ransomware attacks rising 26% from
  2023 to 2024 and cumulative cyber losses exceeding 2.5 billion USD since 2020.
- **SMS OTP fraud** cost UAE victims nearly 87 million USD in 2023 alone; globally,
  enterprises lost an estimated 6.7 billion USD to OTP-related fraud that year.
- Compliant replacements include **Emirates Face Recognition**, cryptographic soft tokens
  and FIDO2-based passkeys. Banks must reach full compliance through three implementation
  phases by March 2026.

## 1. Introduction: Why is the UAE banning SMS and Email OTPs in Banking?

The UAE’s financial sector faces pressure from an increasingly sophisticated
[cyber threat](https://www.corbado.com/glossary/cyber-threat) landscape. Cybercriminals now launch around
[**14,000 cyberattacks every single day**](https://english.alarabiya.net/News/gulf/2025/01/21/uae-reports-over-200-000-daily-cyberattacks-on-strategic-sectors)
targeting the nation’s [banking](https://www.corbado.com/passkeys-for-banking) and financial institutions. From
2023 to 2024 alone, [ransomware](https://www.corbado.com/glossary/ransomware) attacks on UAE banks increased by
26%, with major [ransomware](https://www.corbado.com/glossary/ransomware) groups like LockBit and BlackCat
routinely demanding multi-million dollar ransoms. As a result, cumulative losses due to
cyber incidents across the UAE financial industry have surpassed $2.5 billion since 2020.

One of the key [vulnerabilities](https://www.corbado.com/glossary/vulnerability) exploited by cybercriminals is
the use of outdated SMS and email-based one-time passwords (OTPs). While SMS OTPs have
long been a convenient method for verifying user identities, they’ve become susceptible to
modern attack techniques such as SIM-swapping, [phishing](https://www.corbado.com/glossary/phishing), and
sophisticated interception attacks. Recognizing these escalating risks, the Central Bank
of the UAE (CBUAE) has mandated the elimination of SMS and email OTP authentication
methods for [financial services](https://www.corbado.com/passkeys-for-banking) by March 31, 2026.

In the following blog, we will provide insights for financial institutians and answer the
most important questions regarding this regulatory change:

1. Why exactly is the Central Bank of the UAE (CBUAE) requiring the phase-out of SMS/email
   OTPs?

2. Which modern and secure authentication alternatives should UAE financial institutions
   implement to stay compliant?

3. How can UAE banks efficiently and realistically navigate this significant transition
   before the 2026 deadline?

## 2. Why are SMS and Email OTPs no longer secure enough for modern Banking Authentication?

For many years, SMS and email-based one-time passwords (OTPs) have been the default
authentication method used by financial institutions worldwide, including banks and
fintech providers in the UAE. They were initially chosen for their simplicity and ease of
deployment, making them a convenient choice for verifying user identities during
transactions or logins. However, today’s reality paints a different picture, one
characterized by escalating security threats and significant
[vulnerabilities](https://www.corbado.com/glossary/vulnerability) that cybercriminals have learned to
[exploit](https://www.corbado.com/glossary/exploit) with alarming efficiency.

### 2.1 Growing technical Vulnerabilities

SMS and email OTPs rely on outdated communication protocols and network infrastructures.
They are particularly vulnerable to cyberattacks such as:

- **SIM-swapping**: Attackers trick [telecom](https://www.corbado.com/passkeys-for-telecom) providers into
  assigning a victim’s phone number to a different SIM card, intercepting OTPs sent via
  SMS.
- **SS7 protocol exploits**: Hackers [exploit](https://www.corbado.com/glossary/exploit) weaknesses in mobile
  [telecommunication](https://www.corbado.com/blog/telstra-passkeys) networks, redirecting or intercepting SMS
  messages undetected.
- **Phishing and spear-phishing attacks**: Criminals deceive users into revealing their
  OTPs, enabling unauthorized account access and fraudulent transactions.

These are not theoretical risks. In 2023 alone, over 40,000 fraud victims in the UAE lost
an average of $2,194 each, totaling nearly $87 million. Globally, fraud linked directly to
SMS-based OTP [vulnerabilities](https://www.corbado.com/glossary/vulnerability) cost enterprises an estimated
$6.7 billion in 2023.

### 2.2 Operational and financial Burdens

Beyond security risks, SMS OTPs are costly and inefficient at scale. Financial
institutions typically pay [telecom](https://www.corbado.com/passkeys-for-telecom) providers for each SMS sent,
which quickly becomes a significant recurring expense as the volume of digital
transactions continues to rise. Other authentication methods can provide better security
and also form a strong [business case](https://www.corbado.com/blog/passkey-adoption-business-case) for cost
savings.

Additionally, SMS-based OTPs offer a suboptimal user experience, causing friction as users
manually copy codes between messages and [banking](https://www.corbado.com/passkeys-for-banking) apps. These
interruptions can lead to higher transaction abandonment rates. Furthermore, manual entry
errors can lead to repeated failed attempts, frustrating users and increasing operational
support costs for financial institutions.

_> Read here to see how Corbado helped VicRoads save 50% of SMS OTP traffic by offering
passkeys to 5 million customers._

### 2.3 Regulatory Non-Compliance

From a compliance perspective, SMS OTPs no longer meet the stringent security expectations
established by modern global regulatory frameworks, including the UAE Central Bank’s
(CBUAE) latest directive. Regulators increasingly require robust, cryptographic and
biometric-based methods that dynamically respond to threats and prevent fraud proactively.

The move away from SMS and email OTPs aligns with similar regulatory measures globally,
including recent mandates in Singapore,
[Malaysia](https://www.komunikasi.gov.my/en/public/news/22873-financial-institutions-instructed-by-bank-negara-to-beef-up-security-against-financial-scams),
and [Hong Kong](https://brdr.hkma.gov.hk/eng/doc-ldg/docId/20241101-1-EN), and
recommendations from authorities like the U.S. Cybersecurity and Infrastructure Security
Agency (CISA).

## 3. What are the recommended Authentication Alternatives Banks in the UAE must implement?

As the UAE [banking](https://www.corbado.com/passkeys-for-banking) sector phases out traditional SMS and email
OTPs due to growing cybersecurity threats and regulatory demands, financial institutions
need clear guidance on the secure and compliant alternatives they should implement. The
Central Bank of the UAE (CBUAE) directive explicitly calls for “robust, risk-based
user-authentication technologies.” But what exactly do these entail, and how can UAE banks
practically adopt them?

### 3.1 Proprietary biometric authentication solutions: Emirates face Recognition and more

Facial biometrics have emerged as one preferred method due to their combination of user
convenience and superior security. Solutions like
[Emirates Face Recognition](https://www.facerecognition.ae/) leverage advanced AI-powered
facial matching technologies that securely verify user identities in real-time. These
methods are resistant to common threats such as [phishing](https://www.corbado.com/glossary/phishing) or SIM
swaps, and provide customers a frictionless experience, users simply authenticate by
looking at their devices, eliminating manual code entry entirely. However, a key drawback
of such proprietary solutions is the dependency on specific vendors and closed ecosystems,
which may limit interoperability and raise concerns in highly regulated industries such as
banking. Regulatory scrutiny and trust requirements in
[financial services](https://www.corbado.com/passkeys-for-banking) often demand open, standardized approaches.

(Passkeys for example are a different authentication method that that is developed as an
industry-wide standard by the [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance), Because of that it
offers a vendor-neutral, consistent, and [phishing](https://www.corbado.com/glossary/phishing)-resistant
alternative.)

Other [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) options gaining
momentum include fingerprint recognition and voice biometrics.

### 3.2 Soft Tokens and Cryptographic Security

Soft tokens represent a more secure evolution from SMS OTPs however they are still a
nightmare to use for consumers. Instead of receiving a code via text or email, customers
authenticate themselves using cryptographically generated codes or
[digital certificates](https://www.corbado.com/glossary/microcredentials) securely stored and accessed via their
mobile banking apps. Unlike SMS-based OTPs, these cryptographic tokens cannot be
intercepted by SIM-swapping or SMS interception techniques.

By embedding strong cryptography, soft tokens offer banks significantly enhanced security,
meeting stringent regulatory demands, and reducing risks associated with fraud and
identity theft. Furthermore, they’re cost-effective, eliminating expensive per-message
[telecom](https://www.corbado.com/passkeys-for-telecom) fees associated with SMS OTPs. The main downside to soft
tokens is that they do not offer a seamless user experience for the customer as the
authentication process requires use of aditional apps or reading out of push notifications
which is the maximum of consumer unfriendlieness since customers have to leave the banking
app and use other apps.

Currently, UAE banks are standardizing on in-app approvals and soft tokens for transaction
authorization, with no major institutions publicly implementing direct passkey-based
transaction approval yet. While passkeys are expected to play a complementary role
(particularly for sign-in authentication), app-based confirmation remains the required
standard for sensitive web transactions under current regulatory guidance. This approach
reflects the banking sector's cautious, phased adoption of new authentication technologies
while maintaining compliance with CBUAE requirements.

### 3.3 Passkeys as convenient, phishing-resistant MFA

Passkeys are quickly becoming the global gold standard for secure, phishing-resistant
multi-factor authentication. Based on the
[FIDO2 (Fast Identity Online)](https://fidoalliance.org/passkeys/) standards, passkeys use
cryptographic keys securely stored on customer devices, such as smartphones, laptops, or
security keys, to authenticate users without passwords or OTP codes.

Many major financial institutions are actively investing in passkeys, highlighting their
practicality, accessibility, and ease of integration. Passkeys represent an independent
and
[user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience)
method, widely preferred by customers due to their familiarity with biometric methods like
[Face ID](https://www.corbado.com/faq/is-face-id-passkey) and Touch ID.

Key benefits of passkeys:

- Work seamlessly across all browsers without installation
- Compatible with both web and native apps
- Phishing-resistant, reducing reliance on passwords and OTP codes
- Cost-effective to implement and maintain

For UAE banks, adopting passkeys significantly reduces phishing risks and strengthens
security, aligning perfectly with CBUAE’s regulatory objectives.

### 3.5 Real-time Fraud Monitoring and Session Controls

Beyond robust authentication methods, the CBUAE also mandates that financial institutions
adopt **real-time fraud monitoring systems**. Such systems continuously analyze user
activity for signs of suspicious behavior or malicious attacks, such as device tampering,
[session hijacking](https://www.corbado.com/blog/3ds-authentication-failed), or unusual transaction patterns.

When potential fraud is detected, the system immediately suspends active sessions or
triggers [step-up authentication](https://www.corbado.com/glossary/step-up-authentication), protecting customer
accounts proactively. Implementing such systems is crucial not only for regulatory
compliance but also for minimizing financial losses and preserving customer trust.

## 4. How could a realistic Implementation Roadmap look like for UAE Banks to meet the 2026 Deadline?

With less than a year left until the March 31, 2026 deadline set by the Central Bank of
UAE (CBUAE), financial institutions must move quickly with the new authentication
requirements. Transitioning away from SMS and email-based OTPs to secure, biometric,
cryptographic and risk-based alternatives will involve careful planning, phased execution,
and proactive customer communication. Here’s how a realistic and achievable implementation
roadmap might look:

### 4.1 Phase 1: Assessment, Strategy and Vendor Selection (Q3-Q4 2025)

- **Gap Analysis**: Conduct an in-depth review of existing authentication infrastructure,
  processes, and customer journeys. Identify vulnerabilities, operational inefficiencies,
  compliance gaps, and technology readiness.
- **Strategy and Solution Design**: Define a clear strategic approach for replacing SMS
  and email OTPs. Decide which authentication methods (facial biometrics, soft tokens,
  passkeys, UAE Pass integration) best align with customer expectations, regulatory
  demands and internal capabilities.
- **Vendor Evaluation and Selection**: Evaluate vendors and technology partners offering
  secure authentication solutions aligned with CBUAE requirements. Critical considerations
  include scalability, security, ease of integration, customer experience, vendor
  reliability, and future readiness. **Communication Plan Development**: Develop an
  internal and external communication plan outlining the timeline, customer impact,
  educational content and the transition journey. Inform
  [stakeholders](https://www.corbado.com/blog/passkeys-stakeholder) early to minimize disruption and confusion.

### 4.2 Phase 2: Technical Integration, Testing and Pilot Deployment (Late Q4 2025 / Early Q1 2026)

- **System Integration**: Integrate the selected authentication solutions with existing
  mobile banking apps, customer databases and
  [identity verification](https://www.corbado.com/blog/digital-identity-guide) platforms (e.g., Emirates ID and
  UAE Pass). Special emphasis on not migrating any customer data is crucial and speeds up
  the deployment massively.
- **Rigorous Security and Usability Testing**: Perform extensive testing to ensure the new
  authentication methods are secure, reliable and user-friendly. This includes penetration
  testing, [vulnerability](https://www.corbado.com/glossary/vulnerability) assessments and user experience tests.
- **Pilot Rollout with Targeted Customer Groups**: Launch pilot programs with limited
  customer groups to test real-world performance, identify potential pain points, and
  validate user adoption. Gather insights to fine-tune the user experience and technical
  stability.
- **Fraud Monitoring and Real-time Risk Controls Implementation**: Integrate new
  authentication methods with advanced, real-time fraud detection systems, including the
  capability for automated session suspension and
  [step-up authentication](https://www.corbado.com/glossary/step-up-authentication) to proactively counter
  threats.

### 4.3 Phase 3: Full Deployment, Customer Migration, and Compliance Validation (Mid Q1 to March 2026)

- **Full-Scale Rollout:** Expand successful pilots across the entire customer base,
  replacing SMS and email OTP methods entirely with the new secure authentication
  mechanisms. Carefully phase this rollout to prevent service disruptions or customer
  confusion.
- **Continuous Customer Communication and Education**: Launch clear, targeted,
  multilingual communication campaigns explaining the new authentication processes and the
  security benefits. Provide easy-to-follow user guides, FAQs, and self-service support
  tools to help customers smoothly adopt the new system.
- **Staff Training and Internal Readiness**: Train internal customer support and technical
  teams thoroughly on the new authentication systems,
  [troubleshooting](https://www.corbado.com/blog/passkey-troubleshooting-solutions) procedures, and communication
  protocols to ensure responsive customer support.
- **Compliance and Audit Preparation**: Document all implementation steps, security
  measures, and internal controls to ensure audit readiness. Proactively engage with CBUAE
  to demonstrate compliance progress and readiness for the March 2026 deadline.

## 5. How will the CBUAE Directive impact Banks and Consumers in the UAE?

The Central Bank of UAE’s (CBUAE) directive mandating the phase-out of SMS and email-based
OTPs by March 2026 brings significant change, not just for financial institutions, but
also for the millions of customers who interact with banks daily. Both groups will face
new challenges and opportunities as secure,
[user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience)
becomes the new standard. Here’s what banks and consumers in the UAE should expect:

### 5.1 Impact on UAE Banks: Balancing Investment, Security and Efficiency

#### 5.1.1 Increased initial Investment

Transitioning to secure authentication methods such as biometrics, cryptographic soft
tokens, passkeys, and UAE Pass integration involves upfront costs, including technology
licensing, vendor selection, infrastructure upgrades, and internal training. Banks must
also ensure seamless integration with existing customer databases,
[KYC](https://www.corbado.com/blog/iso-18013-7-mdl-bank-kyc-onboarding) processes, fraud detection systems, and
mobile banking apps.

#### 5.1.2 Reduced operational Costs and Fraud Risk

Despite these initial expenses, moving away from SMS and email OTPs offers substantial
long-term financial benefits. Eliminating costly per-message fees paid to telecom
providers represents significant savings, especially at scale. More critically, banks will
significantly reduce fraud-related losses, given the stronger security posture provided by
phishing-resistant authentication methods.

#### 5.1.3 Enhanced Customer Experiences and Competitive Advantage

Banks that successfully implement seamless, secure authentication experiences stand to
gain competitive advantages. Consumers increasingly expect frictionless, convenient, yet
secure interactions with financial institutions. Banks delivering on these expectations
can enhance customer loyalty, drive higher transaction completion rates, and position
themselves as digital leaders in the UAE banking market.

### 5.2 Impact on Consumers: Stronger Security, easier Access but Education is essential

For UAE consumers, the directive promises meaningful improvements in banking security,
convenience and ease of use, but also requires adaptation and awareness:

#### 5.2.1 Enhanced Security and Fraud Protection

Replacing SMS and email OTPs with biometric methods (such as facial recognition or
fingerprint verification) or cryptographic tokens significantly strengthens protection
against common threats like phishing, SIM-swapping, and identity theft. Customers will
benefit from reduced [vulnerability](https://www.corbado.com/glossary/vulnerability) and increased trust that
their banking transactions remain secure.

#### 5.2.2 Improved User Experience

The new authentication methods, particularly biometrics and passkeys, offer a much
smoother, frictionless user experience. Instead of manually entering OTP codes, customers
will authenticate themselves seamlessly by simply looking at their smartphone camera,
scanning their fingerprint, or using secure tokens stored on their devices. This improved
ease-of-use can encourage broader adoption of digital banking services.

#### 5.2.3 Consumer Education and Adoption Challenges

However, a major challenge is educating customers about the new authentication processes.
Banks must invest proactively in clear, accessible, multilingual communication campaigns
explaining the new systems, their security benefits, and step-by-step instructions for
use. Special attention should be given to less tech-savvy customers and those unfamiliar
with biometric or [digital identity](https://www.corbado.com/blog/digital-identity-guide) technologies, ensuring
inclusive adoption.

## 6. Conclusion

The Central Bank of UAE’s decision to phase out SMS and email-based OTPs by March 2026
marks a critical turning point for banking and digital security in the UAE. While the
directive presents immediate implementation challenges, it also offers a strategic
opportunity for banks to significantly enhance customer trust, reduce fraud risks, and
deliver superior digital experiences.

Throughout this blog, we’ve explored three key questions essential to understanding and
navigating the CBUAE’s new directive:

**Why exactly is the CBUAE requiring the phase-out of SMS/email OTPs?** SMS and email OTPs
have become dangerously vulnerable to SIM-swapping, phishing, and interception attacks,
posing significant security risks and financial losses for institutions and customers
alike.

**Which modern and secure authentication alternatives should financial institutions
implement to stay compliant?** The best option for Banks would be to transition from SMS
OTP to passkeys. Passkeys are the industry gold standard because of their user
friendliness and security. Other solutions like the
[biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) (like facial
recognition) and cryptographic soft tokens combined with real-time fraud monitoring are
also a solid option

**How can UAE banks efficiently and realistically navigate this significant transition
before the 2026 deadline?** By conducting early assessments, selecting reliable technology
partners, deploying phased pilot programs, and prioritizing clear customer communication
and education, banks can meet compliance smoothly and on schedule.

## Frequently Asked Questions

### What authentication methods does the CBUAE directive accept to replace SMS and email OTPs?

The CBUAE directive calls for 'robust, risk-based user-authentication technologies.'
Accepted alternatives include Emirates Face Recognition, cryptographic soft tokens with
in-app approvals, FIDO2-based passkeys and UAE Pass integration. Currently, in-app
confirmation remains the required standard for sensitive web transactions under regulatory
guidance, with no major UAE bank publicly implementing direct passkey-based transaction
approval yet.

### How does the UAE's OTP phase-out compare to similar regulatory actions in other countries?

The CBUAE directive aligns with parallel regulatory measures in Singapore, Malaysia and
Hong Kong, as well as recommendations from the U.S. Cybersecurity and Infrastructure
Security Agency. This global convergence reflects regulators' shared recognition that SMS
OTP vulnerabilities, including SIM-swapping and SS7 protocol exploits, are no longer
acceptable for financial services authentication.

### What is the three-phase implementation roadmap for UAE banks to meet the March 2026 deadline?

Phase 1 covers gap analysis, vendor selection and strategy development in Q3-Q4 2025.
Phase 2 involves technical integration, security testing and pilot deployment in late Q4
2025 through early Q1 2026. Phase 3 completes full-scale customer migration and compliance
validation by March 31, 2026.

### Why are cryptographic soft tokens considered less consumer-friendly than passkeys for UAE banking compliance?

Soft tokens require customers to use additional apps or read out push notifications,
forcing them to leave the banking app during authentication. Passkeys authenticate users
through device-native biometrics like Face ID or Touch ID with no code entry or
app-switching required, making them the more user-friendly path to CBUAE compliance.
