Reserve Bank of India (RBI) has issued new authentication guidelines to strengthen security in India’s digital payment ecosystem. These will come into effect from April 1, 2026, under the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025.
Key Highlights
- Effective Date: April 1, 2026
- Mandate: Dynamic Two-Factor Authentication (2FA) for all digital payment transactions.
- Applicability: All digital payments—domestic and cross-border (CNP transactions).
- Objective: Enhance payment security, prevent fraud, and align with global authentication standards.
What is Dynamic Two-Factor Authentication (2FA)?
- Two factors are required for authentication.
- One factor must be dynamically generated (unique to every transaction).
- Traditional PIN + SMS OTP systems can continue, but the RBI encourages adoption of more secure alternatives.
New Authentication Guidelines
1. Dynamic Two-Factor Authentication
- Mandatory for all digital transactions.
- One credential must be dynamically generated per transaction (e.g., OTP, biometric, or token).
- SMS OTPs can still be used but are considered vulnerable to fraud (e.g., SIM swap).
- Alternatives encouraged:
- Biometric authentication (fingerprint, facial, iris)
- Hardware/software tokens
- Risk-based authentication
2. Alternative Authentication Methods
- Move beyond SMS-based OTPs toward:
- Biometrics: Unique and difficult to replicate.
- Software/hardware tokens: Generate time-sensitive passcodes.
- PINs or passkeys embedded in secured apps.
- Risk-based checks: Authentication varies depending on the transaction’s fraud risk level.
- Issuers encouraged to introduce new authentication factors leveraging technology advancements.
3. Compliance & Interoperability
- Banks, card issuers, and payment system providers must:
- Upgrade to dynamic authentication systems.
- Ensure interoperability across devices and apps.
- Facilitate open access to authentication/tokenisation services.
- FinTechs must build interoperable and user-friendly solutions.
- Focus on user education, especially for older users prone to OTP-related fraud anxiety.
4. Cross-Border Transactions
- By October 1, 2026, card issuers must adopt risk-based mechanisms for cross-border Card-Not-Present (CNP) transactions.
- Issuers must validate Additional Factor of Authentication (AFA) in all non-recurring CNP transactions, when requested by overseas merchants or acquirers.
- These changes aim to boost trust and reduce risks in international payments.
5. Customer Protection & Liability
- If a transaction occurs without compliance to these directions. The issuer must fully compensate the customer for any loss incurred.
- Issuers can use DigiLocker for notification and confirmation of high-risk transactions.
Principles for Digital Payment Authentication
| Principle | Description |
| Minimum Two | Every digital payment must use at least two factors of authentication. |
| Dynamic | At least one factor must be dynamically generated per transaction. |
| Robust | Compromise of one factor should not weaken the reliability of the other. |
Security & Ecosystem Benefits
- Enhanced fraud prevention through biometric and token-based verification.
- Interoperable ecosystem—reduces user friction across apps and devices.
- Seamless experience: Eliminates the need for multiple passwords.
- Globally aligned standards—strengthens India’s reputation in secure digital payments.
- User trust: Builds confidence in digital transactions and cross-border payments.
Key Facts
- Issued by: Reserve Bank of India (RBI)
- Effective Date: April 1, 2026
- Framework: RBI (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025
- Key Principle: Mandatory Dynamic 2FA for all digital transactions
- Applicability: Banks, Card Issuers, Payment System Operators, FinTechs
- Cross-border Risk-based Compliance: Mandatory from October 1, 2026
- Purpose: Enhance security, interoperability, and consumer protection in India’s digital payment ecosystem