Blitz Bureau
THE Central Bank of the United Arab Emirates (CBUAE) has issued a directive requiring all financial institutions to eliminate SMS and email-based one-time password (OTP) authentication for customer transactions by March 31, 2026, according to DD News. This move, aimed at bolstering digital banking security, will affect banks, finance companies, exchange houses, insurers, and payment service providers across the UAE, marking a significant shift toward more secure, riskbased authentication technologies.
Traditional OTP methods, delivered via SMS or email, are increasingly vulnerable to phishing, SIM swapping, and SS7 protocol exploits. To counter these threats, the CBUAE is mandating the adoption of advanced authentication methods, such as Emirates Face Recognition, biometric verification, and mobile-based soft tokens.
UAE banks will begin transitioning customers to app-based authentication for all domestic and international financial transactions. Leading institutions like Emirates NBD, ADIB, and FAB have already adopted biometric and in-app solutions for most online banking activities. Customers will need to enable app-based verification features to authorize transactions, replacing the reliance on SMS or email OTPs. The CBUAE has set a phased implementation, with full compliance required by March 2026.
The UAE’s move aligns with global trends, as countries like Singapore and Malaysia phase out SMS-based OTPs due to similar security concerns. The CBUAE’s directive is part of its broader Financial Infrastructure Transformation (FIT) Programme, which includes initiatives like the planned launch of a retail central bank digital currency (CBDC), the digital dirham, in late 2025.
