Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
regulation
SMS one-time-password
SMS Alternative

India and the UAE are phasing out SMS OTP

Ashutosh Bhadauriya
⬤
March 27, 2026
Share
India and the UAE are phasing out SMS OTP

As we move through 2025, two major economies are abandoning SMS OTP, the authentication method that billions have relied on over a decade. India changed the rules on September with new requirements starting from April 2026. UAE went even further with a complete phase-out by March 2026.

‍

What India’s new rules mean

On September 25, 2025, the Reserve Bank of India (RBI) released a notification with new authentication rules, which will kick in from April 1, 2026. The RBI isn’t banning SMS OTP, but they are forcing banks to give you better alternatives and stop relying on just one method.

Every digital payment now needs two different ways to verify it's you. At least one has to be dynamic, unique to that specific transaction. You can't just type your password twice and call it secure. Banks can also layer on extra checks based on risk. They might look at your device, your location, and how you normally behave. If a transaction seems off, they'll push a confirmation through DigiLocker or flag it another way.

Why did India do this? SMS OTP became the default for everything. Every bank, every payment app, every transaction used it. When one method dominates like this, it becomes more attack-prone. The fraud numbers went up, too; digital payment fraud skyrocketed to $175 million in FY24, a more than fivefold increase from the previous year.

India is mandating choice and flexibility. SMS OTP will still remain one option among many, but banks must encourage the adoption of newer and more secure authentication methods like device-based tokens, biometrics, and QR-code approvals, and customers can still use SMS if needed.

‍

UAE is completely phasing out SMS OTP

The Central Bank of UAE issued its directive in June 2025, ordering all financial institutions - banks, payment companies, etc - to eliminate SMS and email OTPs completely. Banks began the transition on July 25, 2025, with full compliance required by March 31, 2026.

What replaced it? Banks now use Emirates face recognition, fingerprint scans, facial biometrics, soft tokens in banking apps, and in-app confirmations. Major banks like Emirates NBD, ADIB, and FAB have already made the switch. This urgency was driven by increasing fraud numbers. Over 40,000 people got scammed in UAE during 2023, losing an average of $2,194 each. Fraud jumped 43% year over year, with SMS OTP serving as the entry point for most attacks.

‍

This is happening everywhere

Singapore phased out SMS OTP for bank account logins in July 2024 after phishing scams caused at least $14.2 million in losses. Major retail banks moved digital token users away from OTPs within three months. Malaysia's central bank issued guidance in September 2022 telling financial institutions to stop using it, with banks like Maybank completing their transition by September 2024.

The Philippines issued Circular No. 1213 in June 2025, ordering banks to limit authentication mechanisms that can be intercepted by third parties. While smaller rural banks may need more time, digital banks must implement stronger processes, including biometric authentication, behavioral biometrics, and passwordless methods.

The US Patent and Trademark Office dropped SMS authentication in May 2025. FINRA did it in July. The FBI and CISA both warn against using SMS for authentication now.

Europe's taking a similar path. The European Banking Authority says SMS only works as a possession factor under PSD2, nothing more. The European Commission backs passkeys for EU Login. While SMS isn't outright banned in the EU, the regulatory environment increasingly discourages its use and promotes phishing-resistant alternatives.

‍

Why SMS OTP has stopped working

SIM swapping is one of the biggest threats. Here's how it works: a scammer calls your mobile carrier, pretends to be you, and convinces them to transfer your phone number to a SIM card they control. Once that happens, they receive all your text messages, including OTPs. These attacks have doubled in the past few years.

The SS7 protocol that carries SMS has known security holes. It's old tech, built before anyone worried about this stuff. Hackers can intercept messages while they're being sent. Also, SMS isn't encrypted. It travels as plain text. Anyone monitoring the network can read it. Attackers figured out how to spoof messages so they look like they're from your bank.

The costs are massive. SMS fraud hit $6.7 billion globally in 2023. Twitter alone lost $60 million a year to it. Account takeovers using stolen OTPs make up 15-20% of all online fraud. Even without fraud, SMS is expensive and unreliable. Each message costs between $0.01 and $0.20, more for international. About 10-15% of SMS OTPs never arrive because of network issues.

‍

What is actually working/ What actually works

Passkeys use cryptographic key pairs. Your device keeps a private key. The website gets a public key. You authenticate with your fingerprint or face. The private key never leaves your device, so there's nothing to steal.

In-app authentication keeps everything inside your banking app. Push notifications for approvals, biometric checks, and real-time tokens. The app becomes the secure channel.

Biometrics are already on your phone. Fingerprints, face scans, voice recognition. Some systems even track how you type or hold your device.

Hardware tokens work best for high-security stuff. Physical authenticators that banks give to corporate clients and VIPs.

WhatsApp OTP is a middle ground. Not perfect, but better than SMS. Messages go through encrypted channels. It's cheaper than SMS, and billions of people already use it.

‍

The road ahead

The  SMS OTP is being killed gradually because it's broken. It's not secure, expensive, and doesn't work reliably. The switch will be rough, but keeping SMS OTP would be worse. This isn't just regulatory box-checking. You'll actually get better security. Banks will spend less money. The experience will improve once people get used to it.

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
regulation
SMS one-time-password
SMS Alternative

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies