RBI to implement new payment authentication rules beyond SMS OTP from April 2026 | Know full details
Banks and payment providers must adopt alternative 2FA methods by April 2026 for domestic transactions and by October 2026 for cross-border payments.
The Reserve Bank of India (RBI) on Thursday announced that new digital payment regulations, permitting various ways to meet Two-Factor Authentication (2FA) requirements beyond the standard SMS one-time password, will come into force from April 1, 2026.
Apart from SMS-based OTP, the factors of authentication can be from "something the user has", "something the user knows" or "something the user is" and may comprise, inter-alia, password, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based), the central bank said in its statement, cited in reports.
The updated framework promotes the use of biometrics, app-based tokens, and device-native authentication methods, placing responsibility on the issuers.
All Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with these directions by April 01, 2026, unless indicated otherwise for any specific provision herein
Banks and payment providers are required to implement alternative 2FA methods by April 2026 for domestic transactions and by October 2026 for cross-border payments.
All details you need to know
- The RBI has issued the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, confirming that Two-Factor Authentication (2FA) will remain mandatory, while allowing continued use of SMS-based one-time passwords (OTPs).
- The central bank had first announced the initiative in February 2024 to enable the payments ecosystem to adopt technological advancements and implement alternative authentication methods.
- Under the new rules, at least one factor of authentication must be dynamically generated or proven, ensuring that proof of possession is unique to each transaction. The system must also be robust, so that compromise of one factor does not affect the reliability of the other.
- From a risk management perspective, financial sector participants may evaluate transactions against behavioural or contextual parameters, such as transaction location, user patterns, device attributes, and historical transaction profiles.
- The RBI stated, "Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions."
- The central bank has emphasised that if a loss arises from transactions executed without complying with these directions, the issuer must fully compensate the customer without objection.
- Additionally, from October 1 2026, card issuers are required to implement a mechanism to validate non-recurring, cross-border card-not-present (CNP) transactions, especially when authentication requests are initiated by an overseas merchant or acquirer.