The new regulation officially took effect on July 25, 2025, when all licensed financial institutions in the UAE began transitioning away from OTPs sent via SMS or email. The Central Bank has outlined a full implementation deadline by March 2026, at which point the use of SMS/email OTPs will be completely discontinued. During this transitional phase, customers are being encouraged, and in some cases required, to adopt in-app authentication methods offered by their respective banks.
Traditional OTPs sent over SMS or email have long been considered vulnerable to a range of cyberattacks. Fraud tactics like SIM-swapping, phishing, and interception through outdated telecom protocols have compromised the integrity of SMS-based authentication. These vulnerabilities have been exploited globally, resulting in billions in financial losses. By moving away from SMS OTPs, the UAE is proactively addressing these security flaws and paving the way for modern digital banking standards.
According to cybersecurity experts, the reliance on SMS and email for authentication has always carried significant risk. SMS messages can be intercepted or redirected, especially in cases where attackers gain control over a user’s phone number. Moreover, phishing scams that trick users into entering OTPs on fraudulent websites continue to be a major source of financial fraud.
The Central Bank’s directive emphasizes the implementation of more secure, app-based and biometric authentication methods. These include in-app push notifications that prompt users to confirm or reject transactions directly within their mobile banking apps. Instead of entering a code received by text, users receive a real-time notification showing transaction details. Approval is then granted using biometric identifiers like facial recognition or fingerprint scans, or through a secure PIN.
Other advanced methods being adopted include cryptographic soft tokens, FIDO2-compliant passkeys, behavioral biometrics, and device-binding technologies. These tools add layers of identity verification that are significantly harder to exploit compared to OTPs.
The new regulation affects all licensed financial institutions (LFIs) in the UAE that offer services directly to consumers. This includes a wide range of financial entities such as:
If a company holds more than one license, it must make sure that each licensed service meets the specific compliance requirements set out in the regulation.
This transition brings several advantages for both financial institutions and customers. From a security perspective, in-app and biometric authentication methods are inherently more robust. They reduce exposure to cyber threats and eliminate the risks associated with message interception and phishing.
Beyond security, the customer experience is also improved. App-based authentication is generally faster and more convenient. Users no longer need to wait for text messages or emails, particularly helpful when traveling or in areas with weak mobile signal. In-app notifications also provide clearer, real-time transaction information, which can help users spot and prevent unauthorized activity more effectively.
Financial institutions stand to benefit from reduced operational costs, too. By eliminating reliance on telecom infrastructure for sending OTPs, banks can cut SMS-related expenses and reduce fraud-related losses. This also allows them to focus more on customer service and digital innovation.
Major banks in the UAE have already launched app updates that support the new authentication methods. Customers are being prompted to download the latest versions of these apps, register their devices, and enable biometric login features. Public education campaigns and support services have also been rolled out to ease the transition, especially for those less familiar with mobile banking.
The Central Bank has ensured that the transition process will be inclusive, providing banks with clear guidelines to support all segments of the population. Special attention is being given to elderly users and those with accessibility needs, ensuring they are not left behind in the push for digital transformation.
As the first country to mandate the complete discontinuation of SMS and email OTPs, the UAE is setting a powerful example for other nations struggling with cyber fraud and authentication challenges. The emphasis on risk-based, biometric, and in-app solutions reflects a forward-thinking approach that other financial regulators may soon follow.
Additional Resources:
