The Central Bank of the United Arab Emirates (CBUAE) has issued a directive requiring all financial institutions to eliminate SMS and email-based one-time password (OTP) authentication for customer transactions by March 31, 2026. This move, aimed at bolstering digital banking security, will affect banks, finance companies, exchange houses, insurers, and payment service providers across the UAE, marking a significant shift toward more secure, risk-based authentication technologies.

Traditional OTP methods, delivered via SMS or email, are increasingly vulnerable to phishing, SIM swapping, and SS7 protocol exploits. To counter these threats, the CBUAE is mandating the adoption of advanced authentication methods, such as Emirates Face Recognition, biometric verification, and mobile-based soft tokens.

Starting July 25, 2025, UAE banks will begin transitioning customers to app-based authentication for all domestic and international financial transactions. Leading institutions like Emirates NBD, ADIB, and FAB have already adopted biometric and in-app solutions for most online banking activities. Customers will need to enable app-based verification features to authorise transactions, replacing the reliance on SMS or email OTPs. The CBUAE has set a phased implementation, with full compliance required by March 2026.

The UAE’s move aligns with global trends, as countries like Singapore and Malaysia phase out SMS-based OTPs due to similar security concerns. The Monetary Authority of Singapore, for instance, mandated a similar shift in 2024, citing rising phishing scams. The CBUAE’s directive is part of its broader Financial Infrastructure Transformation (FIT) Programme, which includes initiatives like the planned launch of a retail central bank digital currency (CBDC), the digital dirham, in late 2025.