UPI transactions to get facial recognition, biometric security option from Oct 8: Report

India will allow users to authenticate Unified Payments Interface (UPI) transactions using facial recognition and fingerprints starting October 8, Reuters reported on Tuesday, citing people familiar with the development.

Authentications will be done using biometric data stored under Aadhar, according to the report.

The National Payments Corporation of India (NPCI) is expected to showcase the new biometric feature at the ongoing Global Fintech Festival in Mumbai.

The initiative follows the Reserve Bank of India’s (RBI) newly issued framework titled “Authentication Mechanisms for Digital Payment Transactions Directions, 2025,” which aims to strengthen payment security by allowing new authentication methods beyond the widely used SMS-based one-time passwords (OTPs).

The central bank said the directions focus on “encouraging introduction of new factors of authentication by leveraging upon technological advancements,” while retaining SMS OTP as an additional factor of authentication (AFA).

Under the new framework, banks, payment service providers, and fintechs can introduce alternative authentication mechanisms such as device-based verification, biometric authentication, hardware tokens, or passphrases, either alongside or instead of OTPs.

Currently, nearly all digital payments in India rely on SMS OTPs as the second layer of security. While the RBI has never mandated OTPs specifically, the payments industry has widely adopted them as the standard additional factor of authentication.

The RBI said that one of the two authentication factors must be unique to each transaction so that proof of possession cannot be reused or compromised.

“It shall be ensured that for digital payment transactions, other than card-present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction,” the central bank said in its September 25 notification.

Authentication factors may include “something the user knows” (such as a password or PIN), “something the user has” (a hardware token or device-based credential), or “something the user is” (such as fingerprints or facial recognition).

The directions apply to all domestic digital payment transactions conducted by banks, fintech firms, card issuers, and other payment system participants.