Biometrics replacing SMS OTPs for UAE online transactions

Major banks in the UAE have begun informing customers that one‑time passwords (OTPs) via SMS for online card purchases are ending as the sector shifts to app‑based authentication and biometrics.

Messages sent to customers on December 31 confirmed that from January 6, 2026, banks will no longer send OTPs by text message for online card transactions. Instead, all payment verifications will be carried out exclusively via each bank’s mobile app.

“From January 6, 2026, we will stop sending one-time passwords (OTPs) via SMS for online card purchases,” read one of the alerts, as reported by Gulf News. Customers were urged to download and activate their bank’s app to continue making secure online payments.

The latest notifications are another step in a transition that began in mid‑2025. Banks began phasing out SMS and email OTPs in July, replacing them with in‑app verification for electronic transactions and money transfers.

An official circular issued at the time, CBUAE Notice 2025/3057, outlined a plan to gradually discontinue OTPs across traditional channels. Banks were instructed to encourage customers to complete digital transactions using app‑based authentication tools.

By September 2025, several banks had already completed the shift — including Emirates NBD, ADIB and FAB — moving to biometrics or in-app solutions for authorizing payments. A description by the Times of India of how in-app authentication for UAE banking apps works also specifies that native device face or fingerprint biometrics or a Smart Pass PIN is the final step in that method.

The Central Bank of the UAE (CBUAE) mandated the end of SMS-based OTPs by March 2026. According to Gulf News, some banks have considered retaining SMS OTPs for customers unwilling to use mobile apps, but only with a written request and with liability for potential fraud transferred to the customer.

SMS OTPs, you are the weakest link, goodbye

SMS messaging is regarded as a sore spot for security, especially when it comes to banking, with the lucrative connection making SMS a target for fraud and criminal activity. A variety of methods are employed.

A major tactic uses SIM swapping. Telcos are duped into porting numbers onto a SIM card. Fraudsters then assume that mobile number and the associated individual’s identity, receiving OTPs to get into accounts.

Another method uses phishing via fake websites that look like the real thing. Unsuspecting users enter OTPs or personal details into a website that resembles their bank or ecommerce account. Open telecommunications networks are also at risk of interception, with hackers able to intercept or reroute SMS messages under outdated SS7 protocols.

The significant rise in fraudulent activity in the UAE led to the CBUAE issuing its 2025/3057 circular and putting SMS and email OTPs on notice.

Instead, all 3DSecure (3DS) transactions must rely on strong second‑factor authentication, including in‑app verification, tap‑to‑authenticate features, soft tokens or biometric checks. While risk‑based passive authentication remains permitted, any resulting fraud liability will fall on the institution.

To push transition, banks are required to issue full refunds for any 3DS fraud that occurs when SMS OTPs are used.

Stronger authentication measures are now mandatory for multiple key processes. These measures include biometrics such as Emirates Face Recognition, cryptographic tokens like FIDO2-standard passkeys, secure in‑app approvals or behavioral biometrics.

These apply when registering a new device or accessing a banking app for the first time, enrolling in instant payment services, adding cards to digital wallets such as Apple Pay or Google Pay, and enabling single‑click payment features.

In addition, step‑up authentication is required for sensitive actions. This applies to initiating payments, changing limits or security settings, updating personal information and requesting new or replacement cards.

Biometrics vendors such as BioCatch, OneSpan and Sardine.ai have written guides on the UAE circular and implementation here, here and here.

Article Topics

banking  |  biometric authentication  |  biometrics  |  financial services  |  fraud prevention  |  UAE