RBI Issues Guidelines Allowing Customers to Use Other Methods of Authentication Besides OTP for Digital Payments
Mumbai, 26th September 2025: The Reserve Bank of India (RBI) has issued fresh guidelines on authentication for digital payments, expanding the scope of two-factor authentication (2FA) beyond the familiar SMS-based one-time password (OTP).
The new framework, called the Authentication Directions 2025, allows customers to use multiple methods such as biometrics, app-based tokens, and device-native features like fingerprint or facial recognition. While OTP will remain an option, it will not be the only one available.
According to RBI, all digital transactions must have at least two distinct layers of authentication, with one of them being unique and dynamically generated for every transaction. This is aimed at reducing fraud, minimising delays, and giving users more secure and convenient ways to verify payments.
The rollout will take place in phases. Domestic digital payments must comply by April 1, 2026, while cross-border “card-not-present” transactions will have to meet the standards by October 1, 2026.
The new rules cover three categories of authentication factors: something the user knows (such as a PIN, password, or passphrase), something the user has (such as a card, token, or device), and something the user is (biometric verification such as fingerprint, iris scan, or Aadhaar-based checks).
Banks, fintech firms, and wallet providers will now need to offer alternatives to OTP, integrate behavioural analytics, and enable DigiLocker-based verification for high-risk transactions. UPI operators and card networks have been instructed to support tokenisation and interoperable authentication, while merchants must update their checkout systems to match the new framework.
Industry bodies have welcomed the move. Vishwas Patel, Chairman of the Payments Council of India, said, “The new authentication framework strikes the right balance between safeguarding users and encouraging innovation in digital payments.”
With these changes, RBI aims to strengthen security for both domestic and international payments while ensuring the Indian payments ecosystem keeps pace with global practices.
