The Reserve Bank of India (RBI) has announced new rules to make digital payments more secure. Under these rules, two-factor authentication (2FA) options beyond SMS OTP will now be allowed.
These regulations, called the “Authentication Mechanisms for Digital Payment Transactions Directions, 2025,” will take effect from April 1, 2026.
What Are the New Authentication Options?
According to the RBI, payment authentication can include:
Something the user possesses (like card hardware or software token)
Something the user knows (such as a password, PIN, or passphrase)
Something that identifies the user (like fingerprints or other biometric methods)
SMS OTP will still be allowed, but new methods can be used in addition. Importantly, at least one authentication factor must be unique
and new for each transaction. Payment systems must also be designed so that if one factor is compromised, it does not affect the others.
Strengthening Security and Risk Management
India has long emphasized two-factor authentication. Previously, financial institutions mainly relied on SMS alerts for transactions.
Under the new rules, financial institutions can identify high-risk transactions for additional verification based on:
Transaction location
User behavior
Device details
Transaction history
DigiLocker may be used for notifications and confirmations.
Customer Protection and International Transactions
The RBI has stated that if customers suffer any loss due to non-compliance with these instructions, the financial institution must fully compensate the customer.
Additionally, from October 1, 2026, card issuers will be required to implement a validation mechanism for non-recurring, cross-border card-not-present (CNP) transactions initiated by overseas acquirers.