RBI makes two-factor authentication mandatory for digital payments from April 1, 2026: All you need to know

The Reserve Bank of India (RBI) has made it mandatory for all digital payments to be authenticated using at least two factors starting from April 1, 2026.

No specific factor has been mandated, but the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor, the RBI said.

The RBI in Authentication Mechanisms for Digital Payment Transactions Directions, 2025 released on September 25, said, “All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor.”

The digital payment ecosystem in India strongly depends on SMS-based one-time passwords (OTPs) as the second factor for authentication.

The RBI is now encouraging the adoption of other factors, including biometrics, device-native features, hardware tokens and tokenisation.

As per RBI’s guidelines, the factors for authentication may include biometric methods, passwords, passphrases, PINs, SMS-based OTPs, card hardware and software tokens.

While the RBI encourages the introduction of new factors of authentication, it does not discontinue the SMS-based OTP as an authentication factor.

This is aimed at preventing fraud and phishing. With technological advancements, the number of cases of SIM-related fraud and other types of online theft has dramatically increased. These new rules are meant to make digital transactions safer and more secure.

“RBI had issued draft directions on Alternative Authentication Mechanisms for Digital Payment Transactions on July 31, 2024 and draft directions on the introduction of Additional Factor of Authentication (AFA) in cross-border Card Not Present (CNP) transactions on February 07, 2025, for stakeholder comments,” RBI said in a release on Thursday.

The central bank said that these directions shall be complied with by April 1, 2026, unless indicated otherwise for any particular direction.

RBI guidelines: Key highlights

The RBI has also asked issuers to apply additional safeguards based on behaviour, device or location. This flexibility will allow for a balance of convenience and protection.

The central bank emphasised facilitating interoperability and open access to technology and directed payment providers to ensure that the above-mentioned services are available across all applications within that operating environment.

Cross-border payments

The RBI has mandated card issuers to validate Additional Factor of Authentication (AFA) of cross-border card-not-present (CNP) transactions whenever an overseas merchant or acquirer raises such a request. Additionally, card issuers must build a mechanism to validate non-recurring, cross-border CNP transactions where an overseas merchant or acquirer raises a request for authentication.

Exemptions

The RBI has specified some exemptions from the two-factor authentication rule, including:

• Small-value contactless card transactions
• Recurring transactions (after the first one is authenticated), under the e-mandate framework
• Certain prepaid instruments like PPI-MTS and gift PPIs
• NETC transactions
• Small-value digital payments made offline (physically)
• Travel bookings involving the Global Distribution System, corporate cards, etc

This framework by the RBI is aimed at emphasising interoperability, security and a risk-based approach, where high-risk transactions will have a safer system of validation. It is aimed at making India's digital payment ecosystem safer and trustworthy.