UAE Central Bank directive: What it means for authentication, and what comes next
On June 4, 2025, the Central Bank of the UAE issued a clear directive requiring all licensed financial institutions (LFIs) to phase out SMS and email OTPs by March 2026. The decision stems from the increasing vulnerability of these methods to SIM-swap fraud, phishing, SS7 interception, and other exploit techniques.
What’s changing
- Ban on SMS and email OTPs
Banks must eliminate OTPs delivered through SMS or email by March 31, 2026. - Adoption of secure alternatives
The CBUAE is directing institutions to adopt stronger methods like biometric verification through UAE Pass or Emirates Facial Recognition, as well as cryptographic soft tokens and passkeys that align with FIDO2 standards. - Real-time fraud monitoring
Financial institutions must implement real-time session monitoring and risk-based access controls to detect anomalies and suspend access automatically if suspicious behavior is detected.
Why the shift is happening
- Rising fraud
UAE saw a 43 percent year-over-year increase in scam incidents, with more than 40,000 individuals affected in 2023. SMS OTPs are a soft target for attackers. - Global alignment
Similar mandates have been rolled out in Singapore and Malaysia, both of which require stronger customer authentication frameworks that go beyond OTPs. - Better user experience
Secure app-based login and biometric flows reduce dependency on passwords and offer faster, smoother authentication journeys.
What banks and fintechs need to do
Action ItemReasonMove to app-based authentication or passkeysProvides phishing-resistant access and eliminates SMS-based risksIntegrate national identity solutionsUAE Pass, Emirates ID, and facial recognition help meet assurance levelsEducate customers earlyHelps users prepare for the new login experience before enforcement kicks inUpgrade infrastructureBackend systems must support new token issuance and biometricsImplement risk-based controlsEnsures authentication strength adapts to user behavior and transaction type
While banks like Emirates NBD and ADIB have already begun rolling out biometric login and soft token solutions, others are still dependent on OTP-based mechanisms that will need to be replaced before the deadline.
What UAE users should expect
- More secure access
App-based or biometric logins drastically reduce fraud exposure tied to OTP interception. - Changing habits
Users will be expected to authenticate via UAE Pass or their bank's mobile app, which may involve device registration or biometric scans. - Support and alternatives
Banks will likely roll out multilingual support, phased onboarding, and accommodations for users without smartphones or those who prefer in-person verification options.
What comes next
Between now and March 31, 2026, financial institutions will need to continue modernizing their authentication stack. That includes integrating biometric libraries, supporting FIDO2 passkeys, and enabling real-time monitoring tools for fraud detection. Beyond compliance, these upgrades lay the groundwork for zero-trust architectures and smoother customer onboarding in digital environments.
The UAE mandate is not just a technical requirement. It’s a strategic push toward secure, app-native, and passwordless banking experiences. Financial institutions that move quickly will not only meet compliance expectations but also gain customer trust and operational efficiency in the process.
Sources
- UAE banks are ditching SMS OTPs? Here's what to know about app-based verification:
https://timesofindia.indiatimes.com/world/middle-east/uae-banks-are-ditching-sms-otps-heres-what-to-know-about-app-based-verification/articleshow/122873014.cms - UAE Central Bank Tells FIs to Drop SMS OTP Authentication (BankInfoSecurity):
https://www.bankinfosecurity.com/uae-central-bank-tells-fis-to-drop-sms-otp-authentication-a-28589 - UAE Central Bank Instructs Financial Institutions to Eliminate SMS and OTP Authentication (BreachSpot):
https://breachspot.com/news/data-breaches/uae-central-bank-instructs-financial-institutions-to-eliminate-sms-and-otp-authentication/ - UAE Central Bank Pushes for Stronger Authentication—What It Means (LinkedIn post by Vishal Seth):
https://www.linkedin.com/pulse/uae-central-bank-pushes-stronger-authenticationwhat-means-vishal-seth-gfepc - How 2FA Is Transforming Cybersecurity in the UAE (eMudhra):
https://emudhra.com/en-us/blog/how-2fa-two-factor-authentication-is-transforming-cybersecurity-in-the-uae - Ongoing Authentication and Identity Lifecycle Management Rulebook (CBUAE):
https://rulebook.centralbank.ae/en/rulebook/ongoing-authentication-and-identity-lifecycle-management - Digital ID and CDD Guidance for Licensed Financial Institutions (CBUAE):
https://rulebook.centralbank.ae/en/rulebook/guidance-licensed-financial-institutions-digital-identification-customer-due-diligence
