 "The new digital payment regulations, which allow for more options to meet two-factor authentication (2FA) requirements, will take effect from April 1, 2026. Image for Representation. Pixabay")
If you hate getting one-time passwords (OTPs) on your phone every time you make a payment, you might soon welcome a new era.
The Reserve Bank of India (RBI) has signalled that it wants to move away from relying solely on OTPs for securing digital transactions from April 2026. Instead, it is opening the door to newer authentication methods that may let you pay without entering an OTP every time.
Under its new guidelines under the Authentication Directions, 2025, the RBI is no longer insisting that OTPs must be the default second factor for all payments.
Here’s what they are planning
What might replace OTPs?
The new digital payment regulations, which allow for more options to meet two-factor authentication (2FA) requirements beyond the usual SMS one-time password, will take effect from April 1, 2026.
Apart from SMS-based OTP, the factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based), the central bank said in its statement, cited in reports.
But why change the system at all?
The shift is not about scrapping OTPs entirely but about making the system more secure and flexible.
In its Authentication Mechanisms for Digital Payment Transactions Directions, 2025, the RBI underlined that two-factor authentication will remain compulsory. SMS OTPs will continue to be allowed, but the payments ecosystem is being encouraged to explore other technologies that may be more resilient and less vulnerable to fraud.
Also read: Why is the rupee sinking even as the dollar weakens globally?
The central bank first floated the idea in February 2024, noting that digital payment methods had evolved enough to support alternatives.
The new rules go a step further, insisting that at least one of the authentication factors must be dynamically created or proven, essentially making sure that the proof being sent is unique to each transaction. The idea may be that if one layer is compromised, the other still holds strong.
There is also a strong focus on risk-based checks. Banks and issuers will be able to evaluate transactions using behavioural and contextual signals such as the customer’s usual spending pattern, device attributes, location, or history of payments.
“Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions,” the RBI said.
Importantly, the RBI has said that if a loss occurs because a bank or issuer fails to follow these directions, the customer must be compensated in full, without dispute.
The guidelines also introduce a new safeguard for global transactions. From October 1, 2026, card issuers will need to put in place systems to validate one-off, cross-border “card-not-present” transactions where the authentication request comes from an overseas merchant or acquirer.
Industry welcomed the roadmap. Vishwas Patel, chairman of the Payments Council of India, told The Times of India, “The recently released AFA Directions strike an important balance between consumer security and innovation.”
With input from agencies