Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
regulation
Multi-factor authentication
Banking
SMS one-time-password

June 2025 SMS OTP regulatory updates: Banking's global shift to secure authentication

Ashutosh Bhadauriya
⬤
July 4, 2025
Share
June 2025 SMS OTP regulatory updates: Banking's global shift to secure authentication

Central banks across multiple countries are cracking down on SMS one-time passwords. What banks have relied on for years is now being actively banned or restricted by regulators who recognize the security flaws that make these codes vulnerable to fraud.

In just the past few months, we've seen binding directives from the Philippines, new deadlines from the UAE, and evolving guidance from the EU. SMS OTPs are becoming a compliance liability rather than a security asset.

Here are the latest regulatory updates that every financial institution should be aware of:

‍

The Philippines: BSP issues binding circular

The most recent regulatory development comes from the Philippines, where the Bangko Sentral ng Pilipinas (BSP) issued Circular No. 1213 in June 2025. This isn't just guidance anymore, it's a binding order that requires banks to fundamentally change their authentication practices.

The circular orders banks to "limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction." This directly targets SMS and email OTPs, which the BSP now considers inherently vulnerable to social engineering attacks.

BSP Deputy Governor Elmore Capule has been clear about the central bank's position: "You know how technology is. If you say that what we have right now is efficient, then by next week or next year, it may no longer be."

The regulation is particularly strict for digital banks, requiring them to implement "stronger authentication processes" including:

  • Biometric authentication
  • Behavioral biometrics
  • Passwordless auth systems
  • Hardware tokens and cryptographic keys

While smaller rural and thrift banks may still use OTPs temporarily, the BSP is pushing the entire industry toward more secure alternatives. The central bank acknowledges the costs involved and is "giving them sufficient time," but the direction is clear.

‍

UAE: Central Bank sets March 2026 deadline

UAE Central Bank issued its directive in June 2025, giving financial institutions until March 2026 to completely eliminate SMS and email OTPs. This represents one of the most aggressive timelines for SMS OTP elimination globally.

The directive requires banks to adopt:

  • Emirates face recognition technology
  • Soft tokens and biometric verification
  • Real-time fraud monitoring systems
  • Secure app-based authentication

The urgency is driven by alarming fraud statistics. Scams and fraud in the UAE have grown by 43% year-over-year, with over 40,000 people falling victim to scams in 2023 alone, losing an average of $2,194 each.

The challenge for UAE banks is significant. Many still rely on legacy systems built around OTP infrastructure. Upgrading to support cryptographic tokens, biometric authentication, and secure digital verification requires substantial investment. Leading institutions like Emirates NBD, ADIB, and FAB have already made the transition, but industry-wide compliance by March 2026 will test the sector's adaptability.

‍

EU: PSD2 framework evolution

The European Union's approach under PSD2 (Payment Services Directive 2) continues to evolve. While SMS OTPs aren't completely banned, the regulatory environment is increasingly restrictive and discouraging their use.

The European Banking Authority (EBA) has made clear that SMS OTPs face significant limitations:

  • They can only serve as a possession factor, not for dynamic linking requirements
  • SMS content must be encrypted for payment authentication, which is impractical
  • The inherent vulnerabilities of SMS infrastructure don't meet strong customer authentication ideals

The EU is actively promoting stronger authentication methods. The European Commission now supports passkeys for EU Login, demonstrating institutional commitment to phishing-resistant authentication. Additionally, ENISA's NIS2 technical guidance emphasizes the importance of robust authentication mechanisms for critical infrastructure.

Most EU financial institutions are proactively moving toward:

  • FIDO2-based passkeys
  • Biometric authentication within mobile apps
  • Hardware security keys
  • Behavioral analytics

While technically compliant in limited scenarios, SMS OTPs are becoming a liability rather than an asset for EU banks focused on regulatory adherence and customer security.

‍

Why SMS OTPs are failing

The reasons for this global shift are clear and compelling:

Security vulnerabilities: SMS messages can be intercepted through various methods, including SIM swapping, social engineering, and malware. Scammers have developed sophisticated tools and tactics to capture OTP codes.

Phishing attacks: Criminals create fake banking websites that closely resemble legitimate ones, tricking users into entering their OTPs. These attacks have become increasingly sophisticated and successful.

Technical limitations: The SMS infrastructure relies on older protocols that weren't designed with modern security threats in mind. The SS7 signaling protocol, for instance, has well-known security flaws.

Cost inefficiency: SMS OTPs are expensive and unreliable. Banks pay for each SMS sent, with costs ranging from $0.01 to $0.10 per message depending on the region. What's worse, delivery rates are often poor - studies show that 10-15% of SMS OTPs never reach users due to network congestion, carrier filtering, or device issues. This creates a double hit: banks pay for failed deliveries while customers get frustrated with the authentication process. One partner reported that 12% of their OTPs never reached users, highlighting the scale of this inefficiency.

‍

The alternatives taking over

Banks worldwide are adopting several alternative authentication methods:

Biometric authentication: Fingerprint, facial recognition, and voice authentication provide strong security tied to individual users.

App-based digital tokens: Secure tokens generated within banking apps, often using time-based algorithms, provide better security than SMS.

WhatsApp and messaging app OTPs: Some institutions are exploring WhatsApp Business API and other messaging platforms for OTP delivery. These alternatives offer better delivery rates, lower costs (often 50-70% cheaper than SMS), and enhanced security through end-to-end encryption. However, they still face similar interception risks if not properly implemented.

Push notifications: Instead of sending codes, banks send push notifications that users can approve or deny directly in their banking apps.

Behavioral analytics: Systems that analyze user behavior patterns, such as typing speed and device handling, provide continuous authentication.

FIDO2/WebAuthn standards: Passkeys and hardware security keys offer phishing-resistant authentication that's both secure and user-friendly.

‍

What this means for users

For banking customers, these changes might initially seem inconvenient. However, the benefits are substantial:

  • Better security: Reduced risk of account takeovers and fraudulent transactions
  • Improved user experience: Once set up, biometric and app-based authentication is often faster than typing in SMS codes
  • Future-proofing: These new methods are designed to evolve with emerging threats

The transition period might require some patience as banks upgrade their systems and customers adapt to new authentication methods. But the long-term result will be a more secure banking environment for everyone.

‍

Looking forward

The global movement away from SMS OTPs represents a crucial evolution in financial security. As digital banking continues to grow and cyber threats become more sophisticated, the industry's proactive approach to authentication security is both necessary and encouraging.

Banks that haven't yet started this transition should begin planning now. The regulatory trend is clear, and customer security demands it. The question isn't whether SMS OTPs will be phased out, but how quickly financial institutions can implement better alternatives.

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
regulation
Multi-factor authentication
Banking
SMS one-time-password

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies