FPJ News Service mumbai

The Reserve Bank of India (RBI) on Thursday announced new rules on digital payments, which allow for more ways to comply with the two-factor authentication-2FA- beyond the SMS-based one-time password.

The new guidelines will come into effect from Apr 1, 2026. The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS-based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based), the RBI said. 

The RBI launched the (Authentication mechanisms for digital payment transactions) Directions, 2025, making it clear that 2FA will continue to be mandatory and SMS OTP can also be used. The central bank had first announced the move in February 2024 to enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms.

The new rules specify that at least one of the factors of authentication is dynamically created or proven, wherein the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction. Additionally, the system should also be robust, wherein compromise of one factor does not affect reliability of the other.

From a risk management perspective, the financial system stakeholders can also identify transactions for evaluation against behavioural /contextual parameters such as transaction location, user behaviour patterns, device attributes, historical transaction profile, etc.