The Reserve Bank of India has put in place new digital payment rules that move the system beyond SMS OTP-only verification, making two-factor authentication mandatory for all digital transactions from April 1, 2026.
The framework, titled the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, covers UPI, cards, and mobile wallets and is aimed at reducing fraud while tightening accountability across the payment chain.
No standalone OTP
Under the new regime, OTPs can still be one part of authentication, but they cannot stand alone.
Also Read | No roads, no signs—so how do pilots know where they are?
Every transaction will need at least two independent factors, with one factor required to be dynamic. That can include a PIN, password, biometric check, or a secure token, depending on the system used by the bank or payment app. NDTV reported that the move responds to vulnerabilities in OTP-based systems, including phishing and SIM-swap fraud.
Risk-based approach new norm for banks
Banks will also be allowed to use a risk-based approach. Routine low-value transactions from trusted devices may face fewer checks, while larger payments or transactions from new devices could trigger additional verification steps.
NDTV also reported that the RBI has tightened accountability norms, with possible compensation in cases where fraud occurs because of system failures or lapses, along with faster complaint resolution.
Landmark step towards Digital India
The shift may bring device-bound and passkey-style authentication into wider use, including biometrics and secure device approval.
HID’s Edwardcher Monreal called the RBI’s updated directions a “landmark step for India’s digital payments security” and said the change aligns with global best practices. The transition is expected to reduce dependence on SMS messages and make approvals more seamless as banks and payment providers adapt their systems.
Also Read | Gold dips slightly in poll season, silver turns significantly cheaper
Perhaps most importantly, remain skeptical. Scammers frequently pose as bank officials or payment service providers. They contact victims via phone calls, messages, or websites to get OTPs, PINs, passwords, or card information. No respectable institution will ever request these details. If something feels off, it probably is.
