Mumbai— The Reserve Bank of India’s new Authentication Directions, 2025, mark a significant shift in how digital transactions will be secured. Beginning April 2026, all payments must use at least two authentication factors, but SMS-based one-time passwords — long the default — will no longer hold primacy.
Moving Beyond OTPs
For years, OTPs were the backbone of Indian digital payments, despite flaws like SIM swaps and message delays. Under the new rules, issuers can still use OTPs but must pair them with other tools such as biometric checks, device tokens, or behavioural signals. At least one factor must be dynamic — unique to each transaction.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Risk-Based Authentication
A key innovation is flexibility: banks can now scale security based on risk. Low-value or low-risk payments might clear with minimal friction, while unusual or high-value ones could trigger additional checks. For cross-border, card-not-present transactions, an extra factor of authentication may be required if foreign merchants request it.
Challenges for Banks and Users
Banks and fintechs face heavy implementation costs: new infrastructure, biometric systems, and interoperability standards. If issuers fail to comply and fraud occurs, they must reimburse customers. Consumers, meanwhile, may encounter more prompts and added friction in everyday payments.
Redrawing the Boundaries of Trust
By easing OTP dependence, the RBI is acknowledging that static methods can no longer secure a fast-evolving digital economy. Whether layered, risk-sensitive checks will strengthen confidence — or frustrate users with complexity — will only become clear after the rules take effect in April 2026.
