RBI to Phase Out OTPs for Digital Payments by April 2026
The Reserve Bank of India (RBI) has announced plans to move away from relying solely on one-time passwords (OTPs) for securing digital transactions. Starting April 1, 2026, the RBI’s new guidelines will allow for more flexible two-factor authentication (2FA) methods, aiming to enhance security and user experience.
What Will Replace OTPs?
Under the new regulations, authentication factors can include:
- Something the user knows: passwords, passphrases, or PINs.
- Something the user has: card hardware, software tokens, or devices.
- Something the user is: biometrics, including fingerprints or Aadhaar-based identification.
These alternatives aim to provide more secure and user-friendly options for verifying transactions.
Why the Change?
The shift is not about eliminating OTPs entirely but about making the system more secure and flexible. The RBI emphasized that two-factor authentication will remain compulsory, and SMS OTPs will continue to be allowed. However, the payments ecosystem is being encouraged to explore other technologies that may be more resilient and less vulnerable to fraud.
Additional Safeguards
The new guidelines also introduce a new safeguard for global transactions. From October 1, 2026, card issuers will need to implement systems to validate one-off, cross-border “card-not-present” transactions where the authentication request comes from an overseas merchant or acquirer.
These measures aim to enhance security for international transactions and protect consumers from potential fraud.
Industry Response
Industry stakeholders have welcomed the RBI’s roadmap. Vishwas Patel, chairman of the Payments Council of India, noted that the new directions strike an important balance between consumer security and innovation.
As the implementation date approaches, both consumers and businesses are preparing for a more seamless and secure digital payment experience.
