RBI mandates stronger two-factor authentication in new guidelines

RBI has mandated two-factor authentication for all digital payments from April 2026, with guidelines allowing biometrics, tokenisation and risk-based checks alongside OTPs

Don't want to miss the best from Business Standard?

The Reserve Bank of India (RBI) has mandated two factors of authentication for all types of digital payments in the country from April 1, 2026, to strengthen transaction security.

 

As per the RBI, at least one form of authentication for a transaction must be dynamically created or proven. This means the proof of possession of this authentication should be unique to that transaction.

 

According to the new guidelines, authentication measures include password, SMS-based one-time password (OTP), passphrase, PIN, card hardware, software token, fingerprint, or other biometrics (device-native or Aadhaar-based).

 

Currently, authentication for digital payments relies largely on SMS-based OTPs. Under the new rules, additional measures including biometrics can be implemented.

 

However, the RBI clarified that the new rules do not call for the discontinuation of SMS-based OTPs as an authentication factor.

 

“All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based OTP as the additional factor,” the RBI said. 

 

The authentication factors should be such that compromise of one does not affect the reliability of the other.

 

“The guidelines focus on encouraging the introduction of new factors of authentication by leveraging technological advancements. Issuers may adopt additional risk-based checks beyond the minimum two-factor authentication based on the fraud risk perception of the underlying transaction,” the RBI added.

 

The guidelines also mandate card issuers to validate the additional factor of authentication (AFA) in non-recurring cross-border card-not-present (CNP) transactions whenever requested by the overseas merchant or acquirer.

 

“The recently released AFA directions strike an important balance between consumer security and innovation. We truly appreciate the regulator’s consideration of industry feedback. The clarity and flexibility provided will enable issuers and payment players to embrace next-generation tools like biometrics, tokenisation and contextual risk checks,” said Vishwas Patel, chair, Payments Council of India, and joint managing director, Infibeam Avenues.