- The Reserve Bank of India (RBI) is stepping up the security of digital payments with some new authentication guidelines that will kick in on April 1, 2026.
- To enhance safety in both domestic and international transactions, the central bank is now requiring two-factor authentication.
- This means that for every transaction, at least one of the credentials must be dynamically generated, helping to reduce risks significantly.
- Dynamic 2-factor authentication Right now, two-factor authentication combines a PIN with an SMS one-time password (OTP).
- Starting April 1, the new dynamic two-factor authentication will require that one of the factors be uniquely generated for each transaction.
The Reserve Bank of India (RBI) is stepping up the security of digital payments with some new authentication guidelines that will kick in on April 1, 2026.
To enhance safety in both domestic and international transactions, the central bank is now requiring two-factor authentication. This means that for every transaction, at least one of the credentials must be dynamically generated, helping to reduce risks significantly.
Dynamic 2-factor authentication
Right now, two-factor authentication combines a PIN with an SMS one-time password (OTP).
Starting April 1, the new dynamic two-factor authentication will require that one of the factors be uniquely generated for each transaction.
Since SMS OTPs can be susceptible to fraud, the updated framework encourages the use of alternatives like biometrics, hardware or software tokens, and risk-based authentication. This change is designed to enhance fraud prevention, boost interoperability, and align with global standards for secure digital payments.
“The RBI’s new authentication guidelines provide clearer and more consistent methods for securing digital payments in India. The key aspect is dynamic two-factor authentication, which mandates that one of the two credentials used for each transaction be uniquely generated,” said Utkarsh Bhatnagar, a partner at Cyril Amarchand Mangaldas.
Alternative authentication methods
The RBI is looking to move away from SMS-based one-time passwords (OTPs) because they can be vulnerable to SIM swap fraud. Instead, providers are encouraged to explore more secure alternatives.
Rohit Jain, managing partner at Singhania & Co, points out that the RBI’s guidance promotes a transition from SMS-based OTPs to safer options like biometric authentication, software and hardware tokens that create time-sensitive passcodes, and PINs.
Smrithi Nair, a partner at Juris Corp, emphasizes that biometric authentication offers greater security since it relies on unique physical characteristics that are difficult to replicate or steal.
Compliance and interoperability
Payment system providers really need to step up their game by upgrading their systems to implement risk-based monitoring and ensure everything integrates smoothly.
Bhatnagar points out that this means banks will have to embrace dynamic authentication methods like OTPs, tokens, and biometrics. Meanwhile, FinTech companies will need to create solutions that can work seamlessly across different devices and applications.
Nair recommends that businesses team up with a trustworthy biometric technology provider and focus on educating users, especially older folks who might find OTP-based apps challenging due to concerns about digital fraud.
Enhancing security and preventing fraud
These guidelines help issuers transition from traditional SMS OTPs to more sophisticated authentication methods.
“Biometric authentication is regarded as highly secure because it’s incredibly hard to replicate or steal,” Nair explained.
These alternatives significantly boost security. According to Jain, on-device biometrics or software tokens are directly linked to the user’s physical device.
Cross-border payments and ecosystem benefits
When it comes to cross-border payments, an extra layer of authentication is going to be necessary.
Sanjay Tripathy, the CEO and co-founder of BRISKPE, mentioned that the RBI’s mandate for risk-based checks encourages a variety of authentication methods, which helps build trust and reduce risks.
These changes pave the way for a more secure and interconnected system. By enhancing interoperability and removing the hassle of juggling multiple passwords across various apps, payment system providers can significantly improve the payment experience, making it smoother, safer, and more user-friendly.