The Reserve Bank of India (RBI) has issued the “Authentication Mechanisms for Digital Payment Transactions Directions, 2025,” mandating two-factor authentication (2FA) for all domestic digital transactions starting April 1, 2026. This framework aims to curb the rising incidence of fraud in UPI, cards, and wallet transactions. Under the new rules, each transaction must be verified using two independent factors: something the user knows (password or PIN), something the user has (OTP, token, or device), or something the user is (biometric data), with at least one factor being dynamic and unique per transaction.
The RBI encourages innovative authentication methods, moving beyond traditional SMS-based OTPs. Banks and fintechs can adopt biometric verification, device-based tokens, and secure passphrases. Additionally, risk-based authentication allows extra verification for high-value, suspicious, or unusual transactions based on user behaviour, location, or device patterns. This ensures context-aware security, protecting without disrupting routine payments.
Certain transactions are exempt from mandatory 2FA, including small-value contactless card payments, recurring e-mandates, prepaid instruments with limited value, FASTag toll payments, and corporate travel bookings via IATA or GDS channels. For cross-border card-not-present (CNP) transactions, issuers must implement authentication mechanisms by October 1, 2026, aligning domestic security standards with global best practices.
Industry Response and Implications
India’s fintech sector has broadly welcomed the RBI’s framework, viewing it as a significant step toward modernizing the digital payments ecosystem. Key takeaways from industry feedback include support for dynamic, context-aware authentication, recognition that this moves away from outdated OTP systems, and requests for clear guidance on cross-border transaction timelines to ensure smooth implementation.
Implications for Stakeholders –
· Consumers: Enhanced protection with safer online payments and reduced fraud risk.
· Banks and Payment Providers: Need to upgrade authentication systems and implement dynamic, risk-based mechanisms.
· FinTechs: Opportunity to innovate with biometric and device-based solutions, ensuring regulatory compliance and building customer trust.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
