RBI Issues New Rules for Digital Payments, OTP to Be One of Many Options for 2FA
Mumbai, 26th September 2025: The Reserve Bank of India (RBI) on Thursday released its Authentication Directions, 2025, signalling a gradual shift away from one-time password (OTP)-only verification for digital transactions. The new framework broadens the scope of two-factor authentication (2FA), allowing the use of biometrics, app-based tokens, and device-native features such as fingerprint or face recognition.
While SMS-based OTP will continue as an option, it will no longer be the sole method. Instead, banks and payment providers will be required to offer consumers additional choices, reducing delays and improving security. The responsibility for any lapses will rest with the issuing institutions.
The revised rules will be implemented in phases. Domestic digital payments must comply by April 1, 2026, while cross-border “card-not-present” transactions will follow by October 1, 2026.
“All digital transactions will need at least two distinct layers of authentication,” the RBI noted. “One of these must be dynamically generated and unique to each individual transaction.” The central bank added that the updated guidelines are designed to help the industry adopt modern technologies while ensuring international transactions remain equally secure.
The authentication factors can come from three categories — something the user knows (like a password, PIN, or passphrase), something the user has (like a token, card, or device), or something the user is (biometric features such as fingerprint, iris scan, or Aadhaar-based verification). Industry representatives have welcomed the development.
“The new authentication framework strikes the right balance between safeguarding users and encouraging innovation in digital payments,” said Vishwas Patel, Chairman of the Payments Council of India.
Under the new framework, banks, fintech firms, and wallet providers must deploy alternatives to OTP, incorporate behavioural analytics, and enable DigiLocker-based verification for high-risk payments by April 2026. UPI operators and card networks are required to support open-access tokenisation and interoperable authentication methods, while merchants will have to reconfigure checkout systems to align with the new standards.
