As we move through 2025, two major economies are abandoning SMS OTP, the authentication method that billions have relied on over a decade. India changed the rules on September with new requirements starting from April 2026. UAE went even further with a complete phase-out by March 2026.
What India’s new rules mean
On September 25, 2025, the Reserve Bank of India (RBI) released a notification with new authentication rules, which will kick in from April 1, 2026. The RBI isn’t banning SMS OTP, but they are forcing banks to give you better alternatives and stop relying on just one method.
Every digital payment now needs two different ways to verify it's you. At least one has to be dynamic, unique to that specific transaction. You can't just type your password twice and call it secure. Banks can also layer on extra checks based on risk. They might look at your device, your location, and how you normally behave. If a transaction seems off, they'll push a confirmation through DigiLocker or flag it another way.
Why did India do this? SMS OTP became the default for everything. Every bank, every payment app, every transaction used it. When one method dominates like this, it becomes more attack-prone. The fraud numbers went up, too; digital payment fraud skyrocketed to $175 million in FY24, a more than fivefold increase from the previous year.
India is mandating choice and flexibility. SMS OTP will still remain one option among many, but banks must encourage the adoption of newer and more secure authentication methods like device-based tokens, biometrics, and QR-code approvals, and customers can still use SMS if needed.
UAE is completely phasing out SMS OTP
The Central Bank of UAE issued its directive in June 2025, ordering all financial institutions - banks, payment companies, etc - to eliminate SMS and email OTPs completely. Banks began the transition on July 25, 2025, with full compliance required by March 31, 2026.
What replaced it? Banks now use Emirates face recognition, fingerprint scans, facial biometrics, soft tokens in banking apps, and in-app confirmations. Major banks like Emirates NBD, ADIB, and FAB have already made the switch. This urgency was driven by increasing fraud numbers. Over 40,000 people got scammed in UAE during 2023, losing an average of $2,194 each. Fraud jumped 43% year over year, with SMS OTP serving as the entry point for most attacks.
This is happening everywhere
Singapore phased out SMS OTP for bank account logins in July 2024 after phishing scams caused at least $14.2 million in losses. Major retail banks moved digital token users away from OTPs within three months. Malaysia's central bank issued guidance in September 2022 telling financial institutions to stop using it, with banks like Maybank completing their transition by September 2024.
The Philippines issued Circular No. 1213 in June 2025, ordering banks to limit authentication mechanisms that can be intercepted by third parties. While smaller rural banks may need more time, digital banks must implement stronger processes, including biometric authentication, behavioral biometrics, and passwordless methods.
The US Patent and Trademark Office dropped SMS authentication in May 2025. FINRA did it in July. The FBI and CISA both warn against using SMS for authentication now.
Europe's taking a similar path. The European Banking Authority says SMS only works as a possession factor under PSD2, nothing more. The European Commission backs passkeys for EU Login. While SMS isn't outright banned in the EU, the regulatory environment increasingly discourages its use and promotes phishing-resistant alternatives.
Why SMS OTP has stopped working
SIM swapping is one of the biggest threats. Here's how it works: a scammer calls your mobile carrier, pretends to be you, and convinces them to transfer your phone number to a SIM card they control. Once that happens, they receive all your text messages, including OTPs. These attacks have doubled in the past few years.
The SS7 protocol that carries SMS has known security holes. It's old tech, built before anyone worried about this stuff. Hackers can intercept messages while they're being sent. Also, SMS isn't encrypted. It travels as plain text. Anyone monitoring the network can read it. Attackers figured out how to spoof messages so they look like they're from your bank.
The costs are massive. SMS fraud hit $6.7 billion globally in 2023. Twitter alone lost $60 million a year to it. Account takeovers using stolen OTPs make up 15-20% of all online fraud. Even without fraud, SMS is expensive and unreliable. Each message costs between $0.01 and $0.20, more for international. About 10-15% of SMS OTPs never arrive because of network issues.
What is actually working/ What actually works
Passkeys use cryptographic key pairs. Your device keeps a private key. The website gets a public key. You authenticate with your fingerprint or face. The private key never leaves your device, so there's nothing to steal.
In-app authentication keeps everything inside your banking app. Push notifications for approvals, biometric checks, and real-time tokens. The app becomes the secure channel.
Biometrics are already on your phone. Fingerprints, face scans, voice recognition. Some systems even track how you type or hold your device.
Hardware tokens work best for high-security stuff. Physical authenticators that banks give to corporate clients and VIPs.
WhatsApp OTP is a middle ground. Not perfect, but better than SMS. Messages go through encrypted channels. It's cheaper than SMS, and billions of people already use it.
The road ahead
The SMS OTP is being killed gradually because it's broken. It's not secure, expensive, and doesn't work reliably. The switch will be rough, but keeping SMS OTP would be worse. This isn't just regulatory box-checking. You'll actually get better security. Banks will spend less money. The experience will improve once people get used to it.
.svg)
.png)
