UAE banks prepare for a passwordless future

The Central Bank of the UAE (CBUAE) is mandating the phasing out of SMS-based one-time passwords (OTPs) by March 2026. It’s a decisive departure from legacy security methods that have grown increasingly vulnerable to fraud.

The directive requires financial institutions to adopt risk-based user authentication technologies including Emirates Face Recognition, soft tokens and biometrics. Banks are also required to implement real-time fraud monitoring, suspend sessions when malicious activity is detected, and provide customers with secure self-service account tools.

The compliance deadline leaves financial institutions just eight months to implement the new technologies and processes. As institutions map their transition, the shift away from OTPs is emerging as both a technological hurdle and a strategic opportunity, writes Issac John, Managing Editor at Khaleej Times.

Phishing, SIM-swapping, and social engineering attacks have exposed SMS-based OTPs’ weaknesses, prompting regulators to act. Pushing the industry to abandon these outdated tools, the CBUAE is accelerating the adoption of modern, phishing-resistant solutions like passkeys and biometric authentication.

While some institutions may view the directive as a costly compliance burden, forward-looking banks see it differently. For them, this is a moment to build a digital ecosystem that is not only more secure, but also faster and simpler for users, John argues. For millions of customers, the shift signals the dawn of a passwordless era — one that promises stronger protection and seamless access.

The replacement for OTPs is already here: passkeys. Based on global FIDO standards, passkeys use cryptographic keys stored on a user’s device and integrate with biometric features like fingerprints or face biometrics. Companies and institutions such as Microsoft, Facebook, the UK government, Mastercard, Visa and Amazon are high-profile backers of passkeys.

Instead of entering a code, users authenticate with a quick scan of their finger or face. The process is instant, secure, and effortless. Passkeys are inherently resistant to phishing because they’re cryptographically bound to the bank’s app or website — making fake login pages useless.

Passkeys eliminate common frustrations: delayed SMS messages, expired codes, and repeated calls to customer service. Biometric login is fast, familiar, and frictionless. This shift isn’t just about logins. Experts urge banks to treat it as a holistic journey, securing every interaction from onboarding to high-value transactions.

UAE banks Emirates NBD, ADIB, and FAB have already replaced SMS OTPs with biometric or in-app solutions for most online transactions, reports Bank Info Security. Mastercard has rolled out its passkey-enabled Click to Pay ecommerce feature in the United Arab Emirates through a partnership with Tap Payments.

The shift comes as threats surge — fraud and scams rose 43 percent year-on-year in the UAE with a Global Anti-Scam Alliance report finding more than 40,000 victims losing an average of $2,194 in 2023.

Emerging technologies are already being piloted to stay ahead of fraud. Authentication can adapt to context: a fingerprint for checking balances, a second biometric or behavioural analysis for larger transfers. Decentralized identity systems give users more control over personal data. Behavioral biometrics add invisible layers of protection. Some banks are even testing post-quantum cryptography, hardware keys, and AI-driven deepfake detection for high risk accounts. These innovations show that UAE banks aren’t just complying, they’re positioning themselves as global leaders in digital trust, John believes.

The UAE has developed biometric identification systems that will eliminate physical ID cards, showing the country’s technological shift. Its digital ID platform UAE Pass is used by millions to access thousands of public and private sector services digitally.

Article Topics

banking  |  biometric authentication  |  biometrics  |  passkeys  |  passwordless authentication  |  payment passkey  |  Saudi Arabia