UAE Central Bank Instructs Financial Institutions to Eliminate SMS and OTP Authentication

The Central Bank of the UAE has mandated financial institutions to discontinue insecure authentication methods, particularly those involving SMS and email-based one-time passwords (OTPs). This directive necessitates a shift towards strong, risk-based user authentication technologies such as Emirates Face Recognition, soft tokens, and biometrics. In addition, banks are expected to set up real-time fraud monitoring systems, take immediate action in response to any detected malicious activities, and empower customers with tools for secure account management.

However, the deadline for compliance, set for March 2026, presents significant challenges. Many banks continue to operate on legacy systems that have largely depended on OTP frameworks, necessitating a comprehensive overhaul to integrate cryptographic tokens, biometric authentication methods, and secure application-based verifications. This transformation is further complicated by the need to educate customers who may be less proficient with new digital tools, as highlighted by Anis Ahmed, chair of the MENA Chapter of the Association of Certified Financial Crime Specialists.

In addition, the rollout of new systems has proven challenging. For instance, when Emirates NBD introduced its Smart Pass feature, some customers had to revert to physical tokens, complicating the transition and scalability of the program. Adding to the difficulties, mobile banking applications will require substantial modifications to incorporate secure digital tokens or biometric security features that are directly tied to individual users, as pointed out by Mohammad Barakat, global managing director at Consilium Advisory. He emphasized that integrating these systems with identity verification tools like Emirates ID and UAE Pass will necessitate considerable effort in development, testing, and system integration.

As of now, only a handful of banks in the UAE have fully phased out SMS-based OTPs. Leading institutions like Emirates NBD, ADIB, and FAB are in the process of migrating to more secure authentication methods, including biometric verification and mobile soft tokens, for the majority of their online transactions. The urgency of this transition is underlined by a recent announcement from the Central Bank, coinciding with a 43% year-over-year increase in scams and fraud incidents within the UAE.

A report from the Global Anti-Scam Alliance disclosed that over 40,000 individuals in the UAE fell victim to scams in 2023, losing an average of $2,194 each. This alarming trend has instigated a wave of innovation in the authentication space. Industry leaders such as Apple, Google, Microsoft, and Samsung are heavily investing in developing advanced authentication technologies aimed at countering fraud while providing seamless user experiences.

Barakat predicts that over the next few years, new technologies will standardize banking authentication practices. Passkeys based on FIDO2 standards are anticipated to replace traditional passwords, employing biometrics or cryptographic keys tied to devices for login processes. Moreover, behavioral biometrics—monitoring users’ patterns in typing and device interaction—will contribute an additional layer of continuous, invisible authentication.

Yet, technological advancements alone will not suffice. Effective progress will require enhanced collaboration between public and private sectors. Ahmed stressed the importance of integrating fintech and cybersecurity innovations into the national digital framework, as well as launching multilingual consumer awareness campaigns and improving coordination between banks and telecommunications companies to mitigate threats such as SIM swap fraud.

Globally, there is a noticeable trend towards phasing out SMS-based OTPs. An example can be seen in Singapore, where the Monetary Authority has advised banks to transition away from SMS-based authentication methods for various banking activities.