HID backs India’s move to stronger MFA for its giant volume of digital payments

HID has signalled its preparedness to help Indian banks and payment providers comply with the Reserve Bank of India’s sweeping new authentication rules.

The new requirements take effect next year and push the country’s digital payments ecosystem past SMS one‑time passwords (OTPs). “The RBI’s updated directions are a landmark step for India’s digital payments security,” said Edwardcher Monreal, principle solutions architect at HID.

“By moving beyond SMS OTPs and embracing standards-based authentication, India is aligning with global best practices. HID’s FIDO-based solutions give banks and payment providers a clear, proven path to compliance — one that not only meets the April 2026 deadline but also strengthens defenses against the evolving threat landscape.”

The RBI’s Authentication Mechanisms for Digital Payment Transactions came into force on 1 April. The new framework mandates stronger multi‑factor authentication (MFA) and aims for a decisive break from legacy password‑plus‑OTP models that have long underpinned India’s digital payments boom.

India’s payments landscape, driven by UPI and its processing of many billions of transactions each month, has become a global model for scale and speed. But the rise of phishing, SIM‑swap fraud and social engineering attacks has exposed the security weaknesses of SMS‑based OTPs.

In response, the RBI invoked its powers under the Payment and Settlement Systems Act, 2007, to require banks, non‑bank payment entities and fintech platforms to adopt more robust, dynamic and interoperable authentication mechanisms.

The new rules mandate that every digital payment must use at least two independent authentication factors, with one being dynamic. The RBI also encourages the use of advanced methods such as device‑bound credentials and biometric verification, and introduces a risk‑based model that allows issuers to apply stronger checks for higher risk transactions.

HID says its authentication platform, which is built on FIDO standards, directly addresses these requirements. By replacing shared secrets like passwords and OTPs with device‑bound passkeys secured through public key cryptography, HID’s system verifies users through a combination of device possession and biometrics or a PIN.

The key benefits include phishing‑resistant authentication tied to the user’s device, interoperability across platforms through open standards, support for adaptive and risk‑based security models and a faster, more intuitive customer experience. India’s transition mirrors trends seen elsewhere with regulators in the EU, Middle East, Singapore and Australia moving to steer away from shared‑secret authentication models.

Article Topics

biometric authentication  |  digital payments  |  financial services  |  HID  |  India  |  multifactor authentication  |  passkeys  |  passwordless authentication