The Central Bank of the United Arab Emirates has taken a groundbreaking step in financial security.
It is now mandating the phase-out of SMS and email one-time passwords (OTPs).
Under the new regulation, all licensed financial institutions must replace OTPs with stronger, phishing-resistant methods, including:
- Cryptographic-enabled tokens (passkeys)
- Biometric verification (Emirates Face Recognition)
- Secure in-app approvals
- Behavioral biometrics
These measures must be implemented for critical operations such as:
- Device registration
- Card provisioning into digital wallets
- Payment initiation
The deadline for compliance is March 31, 2026.
The move comes amid growing concerns about the vulnerabilities of OTPs.
According to industry data, SMS-based fraud cost the financial sector $6.7 billion globally in 2023, with OTPs being the weak link in 15–20% of all account takeover attacks.
Why This Matters
By mandating stronger authentication, the UAE aims to reduce fraud risk and strengthen trust in its rapidly growing digital financial ecosystem.
This initiative could signal a regulatory turning point.
As governments worldwide tighten cybersecurity and identity assurance requirements, many may follow the UAE’s lead in banning OTPs and enforcing modern authentication standards like passkeys, biometrics, and verifiable credentials.
Could this mark the beginning of the end for OTPs around the world?
One of the world's largest telecom providers, Telefónica, is piloting a caller authentication solution that eliminates OTPs and security questions.
They're joining us live on the podcast to demo this innovative solution and
discuss the results of the project. Register here, it's free.
