The Reserve Bank of India (RBI) has strengthened digital payment security with new authentication guidelines which come into effect from April 1, 2026.
The central banks has made two-factor authentication a must, with at least one credential being dynamically generated for each transaction to lower risks in both domestic and cross-border scenarios.
Dynamic 2-factor authentication
At present, two-factor authentication is a combination of PIN and SMS OTP.
From April 1, dynamic two-factor authentication will require one factor to be uniquely generated for each transaction.
SMS OTPs are vulnerable to fraud. The new framework promotes alternatives such as biometrics, hardware/software tokens, and risk-based authentication. This shift aims to strengthen fraud prevention, improve interoperability, and align with global standards for secure digital payments.
“The RBI’s new authentication directions bring greater clarity and consistency to the way digital payments are secured in India. The central feature is dynamic two-factor authentication, which requires that one of the two credentials used for each transaction be uniquely generated,” Utkarsh Bhatnagar, partner at Cyril Amarchand Mangaldas, said.
Alternative authentication methods
The RBI favours moving away from SMS-based one-time passwords (OTPs), which are susceptible to SIM swap fraud. Providers can adopt more secure alternatives.
According to Rohit Jain, managing partner at Singhania & Co, RBI’s directions encourage a shift away from SMS-based OTPs toward more secure options such as biometric authentication, software and hardware tokens that generate time-sensitive passcodes, and PINs.
Smrithi Nair, partner at Juris Corp, said biometric authentication is more secure, as it leverages unique physical traits that are hard to replicate or steal.
Also read | RBI strengthens grievance redressal, rural cooperative banks brought under ombudsman scheme
Compliance and interoperability
Payment system providers must upgrade their systems to implement risk-based monitoring and ensure seamless integration.
According to Bhatnagar, this will require banks to adopt dynamic authentication methods such as OTPs, tokens, and biometrics, while FinTechs will need to develop interoperable solutions that work across devices and applications.
Nair suggest businesses partner with a reliable biometric technology provider and invest in user education, particularly for older individuals who may struggle with OTP-based apps due to digital fraud anxiety.
Enhancing security and preventing fraud
These guidelines enable issuers to move beyond traditional SMS OTPs to advanced authentication factors.
“Biometric authentication is considered as inherently secure as they are extremely difficult to replicate or steal,” Nair said.
These alternatives enhance security significantly. On-device biometrics or software tokens are tied directly to the user's physical device, Jain said
Also read | Dearness Allowance 3% hike: Why families should invest before festival splurging
Cross-border payments and ecosystem benefits
For cross-border payments, an additional factor of authentication will be required.
Sanjay Tripathy, CEO & co-founder of BRISKPE, said the RBI's risk-based check mandate promotes diverse authentication methods, boosts trust and mitigates risks.
The changes offer a more secure, interoperable system. By increasing interoperability and eliminating the need to remember multiple passwords across different apps, payment system providers can enhance the payments experience by making it more seamless, secure, and user-friendly.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
