India’s digital payment authentication rules updated, biometrics providers ready

Financial institutions and payment networks in India can add risk analysis to their two-factor authentication for digital payments, according to new direction from the Reserve Bank of India.

The direction on “Authentication Mechanisms for Digital Payment Transactions” was published by the RBI on Thursday, and also provides clarification about how the mandatory 2FA for digital payments should work. Specifically, the two factors should not be from the same type of authentication, and instead should consist of two of knowledge, possession and inherence factors. Both Aadhaar biometrics stored by the central government and native device biometrics are acceptable for the latter, the guidance says.

For remote or card-not-present (CNP) transactions, one of the factors must be dynamic, meaning an OTP or biometric is provided as part of the process, rather than relied on from past presentation.

The above requirements take effect on April 1, 2026.

RBI has been steadily moving towards multi-factor authentication (MFA) with at least one dynamic factor for digital payments over the past few years, as well as modernized methods of biometric KYC checks to complete customer onboarding.

For CNP transactions that are carried out across border and are not recurring, the card issuer will have to have registered its Bank Identification Number with card networks.

Banks, fintechs and other payment system participants have until October 1, 2026 to comply with the cross-border rules.

The guidance explicitly does not advise banks to discontinue sending one-time passwords (OTPs) over SMS, despite NIST declaring them too insecure to continue using in 2020.

Fingerprint scanner market robust

India-based startup Proxgy has launched a biometric point-of-sale device for payment authentication through Aadhaar and UPI, even if the customer does not own a smartphone.

The new ThumbPay device, priced at less than 2,000 rupees (approximately US$22.50), verifies the customer’s thumbprint biometrics against the Aadhaar Enabled Payment System (AEPS), the Times of India reports.

The device includes built-in fraud detection, and options for payments through QR codes and NFC, though neither is required.

Idex Biometrics has been positioning itself for the Indian market since expanding into the country last year.

“The RBI’s approval of biometric authentication represents a transformational moment for digital payment security in India,” says Idex CEO Anders Storbråten. “Idex has been strategically positioned for this regulatory shift, having successfully conducted pilot testing with Indian payment partners. Our technology meets the exact security and privacy requirements outlined in the new guidelines.”

Next Biometrics’ Mumbai-based partner Evolute has received Aadhaar L1 certification for its POS devices, enabling their compliance for biometric authentication.

There are close to 4.5 million devices certified to “L0” in India that will have to be upgraded, Next says, providing ample market opportunity.

The certification marks the next phase in a multi-year commercial partnership established in 2023, Next says, which is expected to deliver revenues of between 14 and 28 million Norwegian kroner (US$1.4 million to $2.8 million) for Next.

“By integrating Next’s advanced biometric sensors with Evolute’s proven engineering prowess, and achieving L1 certification, we are setting a new benchmark of trust for secure and inclusive citizen services,” says Evolute CEO Parag Mehta. “This collaboration reflects how Evolute’s deep product engineering expertise, combined with Next’s technological rigor, creates a formidable partnership capable of accelerating innovation for India and the world at scale.”

Article Topics

Aadhaar  |  biometric authentication  |  biometrics  |  digital payments  |  financial services  |  Idex Biometrics  |  India  |  KYC  |  Next Biometrics  |  Proxgy  |  ThumbPay