SAMA Authentication Requirements: Saudi Arabia Banks Move Beyond OTP

TL;DR

Saudi Arabia's Monetary Authority (SAMA) is advancing authentication requirements beyond traditional one-time passwords through the National Cybersecurity Authority's evolving Essential Cybersecurity Controls framework. While SAMA hasn't issued a blanket OTP ban, the regulatory trajectory mirrors patterns from UAE, India, and European markets that moved toward multi-factor, phishing-resistant authentication. Financial institutions operating under SAMA jurisdiction should prepare for stricter authentication standards that prioritize FIDO2 protocols, device-bound credentials, and risk-adaptive frameworks over SMS-based verification.

The Regulatory Context: SAMA's Cybersecurity Posture

The Saudi Arabian Monetary Authority operates within the broader National Cybersecurity Authority (NCA) framework, which establishes baseline security controls for critical sectors including financial services. The NCA's Essential Cybersecurity Controls (ECC) framework has undergone multiple iterations, with the most recent guidance emphasizing authentication resilience and phishing-resistant mechanisms.

SAMA's approach differs from dramatic single-directive shifts. Rather than issuing a sudden OTP prohibition like the UAE Central Bank's 2023 mandate, SAMA has incorporated authentication evolution into broader cybersecurity compliance expectations. This incremental path allows financial institutions to modernize infrastructure without emergency overhauls, but it also requires proactive interpretation of regulatory signals.

The Saudi fintech ecosystem has grown substantially, with digital banking licenses expanding and payment service providers proliferating. This growth increases the attack surface for credential-based fraud, making authentication standards a natural regulatory priority. SAMA's licensing frameworks for payment service providers and digital-only banks include authentication requirements that exceed basic password-plus-SMS combinations.

Why OTPs Are Falling Out of Favor Globally

One-time passwords delivered via SMS or email suffer from well-documented vulnerabilities. SIM-swap attacks have compromised accounts at major financial institutions globally, with losses often exceeding millions of dollars per incident. Phishing attacks increasingly incorporate real-time relay methods where attackers harvest OTPs within their validity windows and use them immediately.

The FIDO Alliance has published extensive research demonstrating that SMS-based authentication fails to prevent sophisticated phishing and man-in-the-middle attacks. In contrast, FIDO2-compliant passkeys bind authentication to specific devices and origins, making them resistant to remote interception. This technical superiority has driven regulatory bodies worldwide to favor phishing-resistant authentication in high-risk scenarios.

SAMA's peers in the Gulf Cooperation Council have moved decisively. The UAE Central Bank's 2023 directive mandated the phase-out of OTP-only authentication for financial transactions. Bahrain's Central Bank and Qatar's financial regulators have similarly emphasized multi-factor authentication with device-bound elements. Saudi Arabia's regulatory environment tends to observe regional precedents before implementing similar frameworks, suggesting SAMA's trajectory will align with GCC norms.

SAMA's Authentication Priorities in Practice

Financial institutions under SAMA supervision have received guidance prioritizing several authentication principles:

Risk-Based Authentication: Transactions and account access should employ authentication strength proportional to risk. High-value transfers, beneficiary additions, and sensitive configuration changes warrant stronger authentication than balance inquiries. This aligns with global best practices from PSD2 in Europe and NIST guidance in the United States.

Multi-Factor Requirements: While SAMA hasn't banned OTPs outright, recent licensing conditions for digital banks and payment providers specify multi-factor authentication where at least one factor resides on a registered device. This effectively pushes institutions toward app-based authenticators or biometric verification rather than SMS.

Transaction Signing: For payment authorization, SAMA encourages cryptographic transaction signing where the user verifies and approves specific transaction details rather than generic login OTPs. This prevents attackers from reusing intercepted codes for unauthorized transfers.

Fraud Monitoring Integration: Authentication decisions should incorporate real-time fraud signals like device fingerprinting, behavioral analytics, and geolocation consistency checks. Relying solely on knowledge factors or simple OTPs without contextual fraud detection leaves institutions vulnerable to sophisticated account takeover.

The Passkey Opportunity for Saudi Financial Institutions

Passkeys represent the most viable path for Saudi banks and fintechs to exceed SAMA's authentication expectations while improving user experience. Unlike legacy multi-factor approaches that frustrate customers with SMS delays or token management, passkeys leverage device biometrics for seamless authentication.

A Saudi retail bank implementing passkeys can eliminate SMS infrastructure costs, reduce customer support inquiries related to code delivery failures, and achieve compliance with emerging phishing-resistant standards. The technology works across mobile banking apps and web portals, providing consistent security regardless of channel.

Early adopters in Saudi Arabia's fintech sector have reported positive customer reception. Users appreciate the speed of biometric authentication compared to waiting for SMS codes, and the elimination of password memorization removes a common friction point. For institutions targeting tech-savvy demographics, passkey support signals modernity and security consciousness.

Implementation Considerations for SAMA-Supervised Institutions

Saudi financial institutions evaluating authentication upgrades should prioritize several factors:

Regulatory Alignment: Ensure any authentication solution explicitly addresses NCA Essential Cybersecurity Controls and SAMA's fintech licensing requirements. Documentation demonstrating phishing resistance and multi-factor compliance will be essential for regulatory audits.

Customer Migration Strategy: Forced authentication changes can trigger customer churn if poorly executed. Successful implementations use gradual onboarding, clear educational messaging, and fallback options during transition periods. Saudi customers have demonstrated willingness to adopt new security measures when benefits are clearly communicated.

Cross-Border Compatibility: Many Saudi financial institutions serve expatriate populations and businesses with international operations. Authentication systems should function reliably across device ecosystems and geographic regions without creating friction for legitimate cross-border activity.

Recovery Mechanisms: Account recovery remains a critical consideration for passkey deployments. Institutions need secure processes for users who lose devices or change phones. Solutions should balance security with accessibility, avoiding recovery paths that reintroduce OTP vulnerabilities.

What This Means for Authentication Vendors

The Saudi market presents substantial opportunities for authentication solution providers that can demonstrate SAMA compliance and GCC market understanding. Vendors should emphasize:

Regional Data Residency: SAMA and NCA regulations include data localization requirements. Authentication solutions processing Saudi customer credentials must offer in-kingdom hosting options or clear documentation of data flows.

Arabic Language Support: While English proficiency is common among Saudi fintech users, Arabic-first interfaces and documentation demonstrate market commitment. Customer support for banks and end-users should accommodate Arabic fluently.

Islamic Finance Compatibility: Saudi banks offering Shariah-compliant products require authentication systems that integrate with unique product structures and approval workflows. Generic solutions may need customization for sukuk, murabaha, and other Islamic financial instruments.

Proven Regional Deployments: Banks and regulators prefer vendors with existing GCC deployments. Case studies from UAE, Bahrain, or Qatar financial institutions carry more weight than generic international references.

The Path Forward

SAMA's authentication evolution reflects a broader Gulf trend toward phishing-resistant, device-bound credentials. While the pace differs from the UAE's directive approach, the destination remains the same: financial transactions protected by multi-factor, cryptographically secured authentication that prevents remote interception.

Saudi financial institutions should view this transition as an opportunity to differentiate on security and user experience simultaneously. The banks that move proactively will avoid rushed implementations when regulatory requirements tighten, and they'll capture security-conscious customers who increasingly evaluate digital banking options based on authentication robustness.

The National Cybersecurity Authority and SAMA have signaled their priorities clearly through licensing conditions, cybersecurity frameworks, and regional regulatory coordination. Institutions waiting for explicit OTP bans will find themselves behind competitors who recognized the trajectory earlier and invested in modern authentication infrastructure.

Sources:

National Cybersecurity Authority - Saudi Arabia

Saudi Arabian Monetary Authority

FIDO Alliance

UAE Central Bank