Get ready to say goodbye to flimsy SMS OTPs and hello to smarter, stronger security: the Reserve Bank of India (RBI) has unveiled its Authentication Mechanisms for Digital Payment Transactions Directions, 2025, coming into force on April 1, 2026.
The official Reserve Bank document containing the directions can be accessed HERE.
Two-factor authentication, every time
Gone are the days when a single SMS OTP would do. From next year, every online payment—whether it’s shopping on your favourite app or sending money to a friend—must clear a two-factor authentication (2FA) check.
As the RBI puts it, “Payment system providers shall ensure that two-factor authentication is applied for all digital payment transactions.”
This means you’ll need any two of the three:
➧ Something you know (password, PIN)
➧ Something you have (your phone, a hardware token)
➧ Something you are (fingerprint, face scan)
So when you log in to your bank’s app, you might enter a PIN and confirm with Face ID, or type a password and then tap to approve on your registered device.
At least one factor must be dynamic—for instance, a one-time code or biometric scan—not just a fixed password.
Freedom to pick the security method
The RBI recognises that everyone has different comfort levels. Banks and payment apps can offer multiple 2FA options, as long as they meet the standard. Want to skip OTPs and use a fingerprint reader? You’ll be free to do so.
The bank must also ensure “all authentication solutions shall be made available to all regulated entities on equal terms,” meaning no app or bank can monopolise the latest security tools.
Beyond OTPs
While SMS OTPs will still work for now, the central bank has asked providers to “encourage adoption of newer authentication methods” like device-based tokens, biometrics, or QR-code approvals.
These approaches are harder to fake, faster to use, and don’t rely on sometimes-unreliable mobile networks.
Risk-based checks for large transactions
Not all payments carry the same fraud risk. For routine, low-value payments—say, your weekly groceries—the standard 2FA check will suffice.
But for high-value or unusual transactions, banks can tap into extra data (your location, device health, spending patterns) and request additional verification.
This “risk-based approach” helps catch fraud before it happens, without bogging you down for every rupee you spend.
Exemptions and transition period
Some small exceptions remain—contactless payments under Rs 5,000, recurring subscriptions, prepaid instruments, and a few others. Also, for Indian cards used on foreign websites, issuers have until October 1, 2026 to roll out at least one secure, single-use check per transaction.
If banks slip up and you lose money, the RBI directions make it clear: you get a full refund. Plus, your personal data must be handled under India’s new privacy rules (DPDP).
Once the new rules come into effect in 2026, you’ll enjoy more secure, seamless payments. No more waiting for OTPs amid patchy network coverage, and fewer worries about fraudsters.
