RBI Mandates 2 Factor Authentication for Digital Payments from April 2026

The Reserve Bank of India (RBI) has introduced a new regulatory framework to strengthen digital payment security in the country. From April 1, 2026, two-factor authentication (2FA) will be mandatory for all digital transactions, with exceptions allowed only for certain small-value cases. The guidelines mark a major shift towards advanced, flexible, and secure verification methods, replacing the outdated reliance on SMS OTPs alone.

Key Highlights of the New Norms

Mandatory Two-Factor Authentication

• All digital payments — including UPI, net banking, mobile wallets, and card-based transactions — will now require 2FA, ensuring two independent layers of verification. Small, low-risk transactions may be exempt based on pre-defined thresholds.

Flexible Authentication Methods

Banks and payment service providers will now have multiple options to verify users, including,

• Biometric authentication (fingerprint, facial recognition)
• Device-based tokens or app-linked authenticators
• Passphrases, PINs, or security questions
• Hardware/software-based OTP generators
• Native device security features like facial unlock or fingerprint

These alternatives aim to reduce dependency on SMS OTPs, which are vulnerable to delays, phishing, and SIM-swapping.

Risk-Based Authentication

• Institutions may use risk-based assessment to trigger extra layers of verification for high-value, cross-border, or suspicious transactions.
• This allows adaptive security, improving user experience for low-risk cases while protecting against fraud.

Implementation Timeline

• Effective date for domestic transactions: April 1, 2026
• Cross-border and card-not-present transactions may receive extended deadlines
• A phased rollout will be coordinated with banks and fintech players for smooth adoption

Key Facts

• 2FA becomes mandatory: April 1, 2026
• Applies to: UPI, net banking, cards, mobile wallets, etc.
• Exemptions: Low-value transactions (as defined by RBI)
• Permitted methods: Biometrics, tokens, passphrases, OTPs, app authenticators
• Risk-based checks: Allowed for extra protection on flagged transactions
• SMS OTP: Still allowed as one of the factors