RBI Ushers in a New Era: Diversifying Digital Payment Security Beyond OTP

The Reserve Bank of India is set to introduce new digital payment rules enhancing Two-Factor Authentication (2FA) options beyond SMS-based OTPs, effective April 1. These changes aim to improve security and flexibility in digital transactions, allowing various authentication methods like passwords, tokens, and biometrics.

Devdiscourse News Desk | Mumbai | Updated: 25-09-2025 18:45 IST | Created: 25-09-2025 18:45 IST

RBI Ushers in a New Era: Diversifying Digital Payment Security Beyond OTP — This image is AI-generated and does not depict any real-life event or location. It is a fictional representation created for illustrative purposes only.

Country:
India

The Reserve Bank of India (RBI) has announced the implementation of new rules for digital payments from April 1, broadening the scope of Two-Factor Authentication (2FA) methods beyond the traditional SMS-based one-time passwords (OTPs). The RBI's move is aimed at enhancing security and flexibility in digital payments.

According to the RBI, factors of authentication can be drawn from three categories: something the user has, something the user knows, or something the user is. Options include passwords, passphrases, PINs, card hardware, software tokens, fingerprints, and other biometrics. The new directives, part of the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, will ensure that 2FA remains mandatory, with SMS OTPs still a valid method.

The central bank's guidelines emphasize the dynamic creation of at least one authentication factor per transaction and highlight the need for a robust system where the compromise of one factor doesn't compromise the others. Issuers are also encouraged to utilize DigiLocker for high-risk transactions, while ensuring full compensation for any losses from non-compliant transactions. The RBI has also set a 2026 deadline for validating certain cross-border transactions.

(With inputs from agencies.)