UAE banks have discontinued SMS-based one-time passwords (OTPs) for online transactions from January 6, 2026, moving customers to app-based and biometric authentication as part of a wider security overhaul led by the Central Bank of the UAE. This marks a significant shift in how digital payments are approved, aiming to curb SIM-swap and phishing-related fraud while streamlining user experience for cardholders across the country.
Since January 6, customers making online card payments are no longer receiving OTP codes via SMS or email to complete their purchases. Instead, banks will push transaction-approval requests directly to their official mobile applications, where users must confirm the payment using in-app prompts.Major UAE lenders, including names like Emirates NBD and others, have started sending alerts to customers, warning that online payments may fail if the banking app is not installed and activated before the deadline.
Role of biometrics and app authentication
The new model relies heavily on biometric verification such as fingerprint and facial recognition, along with secure app PINs or Smart Pass-style codes built into mobile banking platforms. When a customer attempts an online transaction, a notification appears inside the bank’s app, and the user authorises it with their registered biometric data or a secure PIN rather than typing in a texted code.Banks and regulators describe this as “strong customer authentication,” aligning local practices with international standards similar to Europe’s PSD2 framework for secure digital payments.
Authorities and banks point to rising fraud that targets SMS OTPs, especially SIM-swap scams, phishing schemes and interception of text messages over insecure channels. By tying approvals to registered devices and biometrics inside the banking app, the sector aims to sharply reduce the chance that criminals can hijack authentication codes and authorise fraudulent payments in a victim’s name. The Central Bank’s notice (2025/3057) set March 2026 as the outer deadline to phase out SMS and email OTPs entirely, but most major banks accelerated implementation after seeing a spike in such fraud cases last year.
Impact on customers and preparations
Customers are being urged to update their bank apps to the latest version, register biometrics where available, and enable push notifications so they do not miss approval requests during online shopping or money transfers.Those who do not complete these steps risk declined payments or delays, particularly for e-commerce and international transactions that now depend entirely on in-app verification rather than text messages. Employers and community groups in the UAE have been encouraged to educate less tech-savvy users, including blue-collar workers who rely on digital wallets and remittances, to avoid disruption during the transition period.
The move positions the UAE as one of the early markets to rely almost exclusively on biometric and app-based approvals for everyday retail payments, ahead of many more mature banking jurisdictions. Industry analysts see this shift as part of a broader digital transformation strategy in the country’s financial sector, combining enhanced security with faster, more convenient user journeys for online transactions.For customers, the change may require short-term adaptation, but it is expected to deliver stronger protection and a smoother checkout flow once app-based and biometric authentication becomes routine.
