How will RBI’s digital payment authentication beyond SMS OTPs work?

The new norms follow a February 2024 draft circular that encouraged stakeholders in the Indian digital payment ecosystem to adopt more factors of authentication for validating and confirming customers’ credentials.

The banking regulator has asked all payment system providers (PSPs) and payment system participants, including banks and non-bank entities, to comply with the RBI’s (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, by 1 April 2026.

Mint explains what it means for issuers and users.

What is two-factor authentication (2FA)?

2FA is an authentication process that requires a person initiating a transaction to provide two different types of proof of identity, referred to as factors.

The factors of authentication can be from “something the user has” (e.g., a mobile phone for an OTP), “something the user knows” (e.g., a PIN or password) or “something the user is” (e.g., a fingerprint or facial recognition).

While the RBI never mandated 2FA or a specific factor, some financial sector players have mostly been using the SMS-based OTPs as the second factor.

What do the new directions say?

All digital payment transactions—across UPI, cards, wallets, net banking, account transfers, NEFT, IMPS, among others—will be required to go through 2FA.

The RBI has made it clear that 2FA will be mandatory for all digital payment transactions, or other than card-present transactions, but at least one of the authentication factors must be dynamically created or proven, where the proof of possession of the factor, sent as part of the transaction, is unique to that transaction.

Although SMS-based OTPs can be used for the purpose, the central bank wants the payments ecosystem to leverage technological advancements, such as biometrics, app-based tokens, and device-native authentication methods.

RBI wants the payments ecosystem to leverage technological advancements, such as biometrics, app-based tokens, and device-native authentication methods.

For example, the first factor may comprise something user-related, such as a password or a PIN, instrument, card, token, biometrics, etc., while the second one will need to be a dynamic factor, such as OTPs, push notifications, or authenticator applications.

Issuers will have the option to offer a choice of authentication factors to their customers, at their discretion. But “the factor of authentication shall be such that compromise of one factor does not affect the reliability of the other,” RBI said.

However, small value contactless payments, recurring transactions on e-mandate (after the first registration), certain PPI (prepaid payment instrument) transactions), PPI gift cards, NETC (National Electronic Toll Collection), and travel bookings made on global distribution systems by International Air Transport Association (IATA)-approved entities will remain exempt.

What’s the need for these new conditions?

The norms aim to mitigate emerging fraud risks and establish a stronger, more resilient authentication framework across the digital payments ecosystem, while enhancing user experience for all stakeholders.

Apart from the February 2024 draft circular, the central bank had issued another draft in July 2024 and a separate one in February 2025 on introducing an additional factor of authentication (AFA) for cross-border payments.

Based on stakeholder and industry feedback, the final norms—issued last week—lay down broad principles for all participants in the payment chain.

“This framework presents an opportunity to adopt smarter, adaptive authentication solutions that reduce fraud, improve operational efficiency, and enhance customer trust in the digital economy,” said Shailesh Paul, chief executive, Wibmo, a PayU company.

What about cross-border transactions?

While the broader guidelines do not apply to cross-border digital payment transactions, card issuers will now be required to establish mechanisms to validate non-recurring, cross-border card-not-present (CNP) transactions, where an authentication request is raised by an overseas merchant or acquirer.

Issuers must also register their Bank Identification Numbers (BINs) with card networks and implement a risk-based framework for handling all cross-border transactions. The new norms must be fully complied with by 1 October 2026.

“This is a critical step towards increasing trust and reducing risk, ultimately benefiting both businesses and their customers. It sets a clear, uniform standard aligned with global best practices and will strengthen India’s position in the international digital payments landscape,” said Sanjay Tripathy, CEO and co-founder of cross-border payments platform BRISKPE.

The move, he added, will foster a more robust and compliant ecosystem, ensuring smoother and more secure cross-border transactions.

What do these mean for financial sector players?

Digital payment system providers and participants must ensure that the authentication or tokenization services they offer are accessible to all applications and token requestors operating within a given environment—device hardware, operating system, or other parameters, etc. These services should also be adaptable across all use cases, channels, and token storage mechanisms.

“Authentication systems must now support interoperability and open access. This is a structural shift, not just a compliance tweak. Further, privacy-by-design is now a regulatory imperative. With the Digital Personal Data Protection Act set to come into force, industry players must embed it into every layer of their authentication architecture,” said Amey Pathak, partner and head of banking at law firm Cyril Amarchand Mangaldas.

Issuers will also be responsible for ensuring the robustness and integrity of authentication mechanisms before deployment. In the event of any loss arising from non-compliance with the norms, issuers will be liable to compensate customers in full, without demur.

“The payments ecosystem must collectively manage customer communication to raise awareness about this initiative and support large-scale implementation of enhanced authentication processes. A key step would be distinguishing between financial and non-financial transactions, as both currently rely on SMS-based OTPs—an area frequently exploited by fraudsters,” said Venkat Narayanan, vice-president, products, at digital payments platform Worldline India.

What does this mean for users?

It will strengthen checks and balances for payment system operators, making digital transactions safer and more secure.

However, this also means that issuers may, in line with their internal risk management policies, identify transactions for evaluation against behavioural and contextual parameters, such as transaction location, user behaviour patterns, device attributes, and historical transaction profiles.

Accordingly, based on the perceived risk associated with the transaction, additional checks beyond the minimum 2FA may also be resorted to, the RBI said, adding that issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.

“Differentiating OTP formats can be an immediate step to help customers clearly identify the type of transaction being executed, serving as a visual cue,” Narayanan said.

He added that the faster integration of additional factors of authentication based on biometrics, GPS, and device-native methods is the need of the hour, as these offer a greater variety for users.