In a groundbreaking move that is poised to reshape global standards for digital security, the Central Bank of the United Arab Emirates (CBUAE) has issued a sweeping mandate that requires financial institutions to phase out the use of SMS and email-based One-Time Passwords (OTPs) for authentication. This makes the UAE the first country in the world to take such a definitive step toward eliminating outdated authentication methods and transitioning to more secure, intelligent alternatives.

This regulatory decision doesn’t just modernize authentication — it signals the beginning of the end for a method long considered foundational in digital banking and payments.

Why this move is monumental

OTPs, especially those delivered via SMS or email, were once considered a simple and effective way to add a layer of security. But as cyber threats evolved, their weaknesses became increasingly evident:

• SIM swap fraud, phishing, SMS pumping attacks, MiTM, and SS7 protocol flaws have made SMS OTPs highly exploitable.
• In 2023 alone, SMS-based fraud cost the industry $6.7 billion globally.
• OTPs are the weak link in the majority of Account Takeover (ATO) attacks, which represent 15–20% of global online fraud.

The UAE’s decision marks a strategic shift from reactive security to preventive resilience, placing consumer protection, technology modernization, and institutional accountability at the forefront.

Who must comply

The regulation applies to all Licensed Financial Institutions (LFIs) operating in the UAE that provide consumer-facing services, including:

• Retail Banks
• Card Issuers (credit, debit, prepaid)
• Merchant Acquirers
• Stored Value Facility (SVF) Providers
• Payment Service Providers (PSPs)
• Entities with multiple licenses, with each license subject to the respective requirements

Exemptions:

• Institutions offering corporate banking only
• Banks that do not offer digital access or card issuance to consumers

Key highlights of the regulation

User authentication

• SMS and Email OTPs, static passwords, and similar weak methods are prohibited as stand-alone authentication for any transactions, enrollments, or access.
• 3DSecure (3DS) transactions must use strong second-factor authentication like in-app verification, tap-to-authenticate, soft tokens, or biometrics. Risk-based passive authentication is allowed, but fraud liability shifts to the institution.
• Full refunds are mandatory for any 3DS fraud involving SMS OTP, effective immediately.
• Strong authentication such as biometrics (e.g., Emirates Face Recognition), crypographic-enabled tokens (e.g., passkey), secure in-app approvals, or behavioral biometrics is required for:
  • New device or first-time app registration
  • Enrolling in instant payment services
  • Provisioning cards into wallets (e.g., Apple Pay, Google Pay)
  • Single-click payment setup
• Step-up authentication is mandatory for actions such as:
  • Payment initiation
  • Modifying limits or security settings
  • Updating personal information
  • Requesting new or replacement cards

Preventive and transaction controls

• Institutions must conduct regular fraud risk assessments and fraud typology reviews.
• Before any fund transfer (domestic or international), beneficiary name and details must be shown to the sender.
• Real-time fraud monitoring systems must be deployed across all channels, operating 24/7/365.
• Device, location, and behavioral analysis must be integrated into fraud detection.
• Session suspension is required if screen-sharing or malware is detected — or if the user is on an active call.
• Clickable links in emails and SMS should be avoided. Push notifications are recommended.
• Optional cooling-off periods may be introduced for large or high-risk transactions.

Activity monitoring & intelligence sharing

• Institutions must implement:
  • Real-time fraud analysis
  • Suspicious behavior detection (e.g., multiple logins, large withdrawals, geographic anomalies)
  • Monitoring of dormant accounts for unauthorized activity
  • Early identification of mule accounts
  • Advanced techniques like behavioral biometrics and digital identity profiling
• Merchant acquirers and PSPs must monitor for:
  • Enumeration attacks
  • Bulk transaction anomalies
  • Suspicious device/email reuse

Data security and brand protection

• Mandatory compliance with:
  • UAE’s Information Assurance Regulation
  • SWIFT CSCF
  • PCI DSS
• Institutions must:
  • Use tokenization for all stored payment credentials
  • Conduct daily scans of merchant websites for e-skimming threats
  • Implement robust access controls following the principle of least privilege
  • Deploy brand protection solutions to prevent phishing, fake ads, and spoofed domains

Consumer empowerment

The regulation emphasizes giving users more control, including:

• Instant reporting of fraud or suspicious activity via mobile or web apps
• Ability to block/unblock cards and accounts instantly
• View and manage:
  • Transfer/payment limits
  • Subscriptions
  • Tokenized cards on different devices
• No branch visits or email forms for basic security concerns — frictionless reporting is now the norm

Deadline for compliance

All LFIs must fully comply by March 31, 2026, except where otherwise specified (e.g., 3DS fraud refund rules apply immediately). Non-compliance may result in:

• Elevated risk ratings on the Central Bank’s internal dashboards
• Supervisory or enforcement actions

How UAE compares globally

Why the shift is unavoidable

We’ve relied on OTPs for decades — but the world has changed.

• SMS vulnerabilities are rampant: phishing, SIM swaps, malware, SMS pumping
• Better technologies exist: cryptographic passkeys, behavioral biometrics and analysis, biometrics, app-based verification
• Global regulators are tightening standards: post-breach reforms are accelerating this transition

UAE has just set the first domino in motion. It’s no longer a question of if other countries will follow – but when.

Built on strong national infrastructure

The UAE’s decision builds upon its already advanced digital public infrastructure, which offers secure, real-time identity validation and frictionless onboarding for individuals and businesses.

Key enablers include:

• Biometric-enabled Emirates ID: Equipped with a secure chip and NFC storing fingerprint and facial data, the Emirates ID enables instant KYC by banks, telcom providers, and government services.
• Integration with UAE PASS: The national digital identity platform allows residents to securely log in, sign documents, and complete digital transactions across sectors.
• Emirates Facial Recognition: A government-backed biometric identity verification system enabling seamless, contactless identity verification at banks, airports, and public institutions.

This layered digital ecosystem not only enhances customer experience but also provides a high-assurance identity foundation, crucial for secure digital transformation and building trust in the digital economy.

The takeaway: A new era of trust

This isn’t just a technical upgrade, it’s a paradigm shift in how trust is built in the digital economy. By eliminating SMS OTPs and shifting to stronger, smarter, and safer authentication, the UAE is:

• Protecting consumers more effectively
• Driving innovation in financial services
• Setting a global benchmark for regulatory excellence

As threats grow more sophisticated, so must our defenses. The UAE’s leadership in this space sets a new gold standard for the world to follow.

The future of digital trust starts now — and the UAE is leading the way.