A year after proposing alternate methods of additional factor of authentication (AFA) for digital transactions, the Reserve Bank of India (RBI) has released new directions, making two-factor authentication (2FA) mandatory for all digital transactions from April 1, 2026.
An AFA requires the use of more than one factor for authentication of a payment instruction. The new framework aims to strengthen digital payment security while enabling smoother and more flexible processes in a rapidly digitising environment.
“The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based),” the RBI said in a notification.
As no specific factor was mandated for authentication, the digital payments ecosystem has been using SMS-based OTP as the additional factor for authentication for digital transactions till now. The new norms aim to facilitate the use of innovative authentication mechanisms that have emerged over the past few years.
“Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions,” the notification added.
All payment service providers and partners are required to adhere to the new directions for domestic payments.
However, the new rules won’t apply to cross-border transactions. But card issuers will be required to set up systems that check and confirm international online card payments when foreign merchants or payment companies request authentication by October 1, 2026.
The new rules don’t call for discontinuation of SMS-based OTP as an authentication factor, the RBI added.
The central bank said that at least one of the factors of authentication should be dynamically created or proven, which means it should be unique for that transaction, for all digital payment transactions except those which are carried out through the physical use of a card at the point of transaction.
The development comes at a time when financial frauds and cyber frauds are on the rise in the country. Indians lost INR 107.21 Cr to cyber frauds in the first nine months of FY25.
The post RBI Mandates Two-Factor Authentication For Digital Payments appeared first on Inc42 Media.
You may also like
No-bell, no cigar, just noise: Why Donald Trump is unlikely to win the Nobel Peace Prize this year
'Trying to buy votes': Priyanka Gandhi slams NDA in Bihar rally; criticises Mukhyamantri Mahila Rojgar Yojana
7 daily habits to reduce belly fat and improve your health
Dad died after being moved out of hospital critical unit for building work
UP ministers condemn 'I Love Mohammad' protests in Bareilly, Anil Rajbhar says "these people cannot digest India's & UP's development"
