While SMS OTPs will continue to be a valid option, the new rules encourage the adoption of alternative, more technologically advanced methods.
In a major development related to digital payments, the Reserve Bank of India (RBI) announced a new framework for authenticating digital payments beyond the two-factor authentication (2FA), which is an SMS-based one-time password so far. This will come into effect on April 1. According to information available, the factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS-based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based), the central bank said.
Factors Of Authentication
The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS-based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based), the central bank said.
While SMS OTPs will continue to be a valid option, the new rules encourage the adoption of alternative, more technologically advanced methods.
The RBI launched the (Authentication mechanisms for digital payment transactions) Directions, 2025, making it clear that 2FA will continue to be mandatory and SMS OTP can also be used.
A key requirement is that at least one authentication factor must be dynamically created and unique to the specific transaction. Systems must also be robust, ensuring that compromising one factor doesn’t affect the other.
Key takeaways for financial institutions:
2FA is still required, and SMS OTPs are still allowed.
One factor must be dynamic, transaction-specific, and proven. Security systems must be robust against single-factor compromise.
Risk-based analysis is mandatory: Institutions should assess transactions using behavioural and contextual data.
Customer Protection: If a security failure causes a loss, the issuer must fully compensate the customer.
New validation mechanisms for certain cross-border card transactions must be in place by October 1, 2026.
