Regulatory News

UAE Central Bank OTP Directive

On June 4, 2025, the Central Bank of the UAE issued a clear directive requiring all licensed financial institutions (LFIs) to phase out SMS and email OTPs by March 2026.

This decision is part of a wider global shift away from outdated authentication methods that are vulnerable to fraud. Let’s break down what this means, why it’s happening, and what’s next for banks, fintechs, and customers.

Why the UAE Is Phasing Out OTPs

OTPs sent by SMS or email have been a common second-factor authentication method for years. But they’re increasingly unsafe.

Fraud risks: Criminals use phishing attacks, SIM swaps, and message interception to steal OTPs.
Customer friction: SMS codes slow down logins and payments, leading to poor user experience.
Global regulatory pressure: Regions like Singapore, India, and the EU are pushing financial institutions toward stronger, phishing-resistant methods.

By setting a deadline, the UAE is signaling it wants to lead in digital security and consumer trust.

What Will Replace SMS OTPs

Starting in July 2025, UAE banks must begin shifting to app-based authentication. By March 2026, this will be the standard.

App-based authentication works like this:

A customer gets a push notification inside the bank’s app.
They approve or deny the request.
Confirmation is done with biometrics (fingerprint, face ID) or a secure PIN.

Other technologies that support this move include:

Passkeys (FIDO2/WebAuthn): Cryptographic login credentials stored on a device, resistant to phishing.
Device binding: Credentials are locked to a phone or hardware token, making them unusable if stolen.
Soft tokens: One-time codes generated within secure apps, not sent over SMS.

These methods provide stronger protection against fraud while offering a smoother experience for users.

Timeline to Compliance

July 25, 2025 – Banks begin phasing out SMS and email OTPs. App-based login approvals start rolling out.
March 31, 2026 – Full migration deadline. SMS and email OTPs will no longer be permitted.

During this transition period, banks are expected to test new systems, train customers, and launch updated authentication features.

Who Is Affected

Banks and financial institutions must modernize their security systems to meet the deadline. This includes upgrading apps, integrating passkeys, and ensuring compliance with Central Bank rules.

Customers will see fewer SMS codes and more app-based approvals. For most, it will feel faster and more secure — tapping a fingerprint or face ID instead of waiting for a text.

Fintech companies have an opportunity to get ahead by adopting device-bound authentication early, positioning themselves as leaders in user-friendly, compliant security.

Why This Matters

This directive isn’t just about replacing SMS. It’s about moving the UAE financial sector toward phishing-resistant, device-based authentication that reduces fraud, lowers costs, and builds trust in digital banking.

For global observers, it also signals a broader shift: the future of authentication is passwordless and device-bound.

FAQs

Will I still get SMS codes from my bank after March 2026?
No. After the deadline, UAE banks must use stronger methods like app push notifications, biometrics, or passkeys.

What do I need to do as a customer?
Make sure you have your bank’s mobile app updated and enable biometrics like fingerprint or face ID. The transition should be seamless.

Why are regulators favoring passkeys and biometrics?
Because they are cryptographic, phishing-resistant, and tied to a device. This makes them far more secure than SMS or email codes.

Sources

Toby Rush

CEO

Published

Sep 4, 2025

Share on: