On July 25, 2025, the Central Bank of the UAE (CBUAE) issued a landmark directive mandating all UAE banks to phase out SMS and email OTPs by March 2026. This pivotal move signals a major overhaul of the payment infrastructure, aiming to standardize in-app biometric authentication across the entire banking ecosystem.
For years, SMS and email OTPs have been the go-to method for authenticating financial transactions. However, this approach has increasingly revealed vulnerabilities, including OTP leaks and delays due to inconsistent telecommunications infrastructure. Globally, fraud related to SMS OTPs caused a staggering $6.7 billion in losses in 2021. In the UAE alone, scams surged by 43% year-on-year, impacting over 40,000 individuals in 2023, making SMS OTPs an easy target for cybercriminals.
To mitigate risks and enhance the user experience in payments and transactions, the CBUAE has directed the banking sector to adopt safer and more advanced authentication mechanisms integrated into mobile banking applications. The directive mandates all UAE banks to:
- Eliminate SMS and Email OTPs: Banks must completely cease using SMS or email OTPs by March 31, 2026
- Adopt stronger authentication methods: The CBUAE requires a shift to robust solutions such as biometric authentication via UAE Pass or Emirates Facial Recognition, alongside encrypted soft tokens and FIDO2-compliant passkeys
- Implement real-time fraud monitoring: Financial institutions must deploy session monitoring and risk-based access controls, automatically locking or suspending access upon detecting suspicious activity
This means that within the first eight months of implementation, financial institutions must develop a transition roadmap, test, and roll out new authentication systems to fully replace traditional OTPs. Users will no longer receive OTPs via SMS or email; instead, they will approve transactions directly within banking apps using fingerprints, facial recognition, or push notifications. This shift reduces transaction latency, enhances user experience, and strengthens security.
Currently, banks like Emirates NBD and ADIB have already adopted biometric login and soft tokens, while many others still rely on traditional OTPs and must urgently upgrade before the deadline. This bold move by the UAE is expected to ripple across the GCC, particularly Saudi Arabia, within the next 12 months. A unified standard for secure payment authentication across the MENA region is likely to emerge, fundamentally transforming the current payment infrastructure.
Savyint – Pioneering Strong Authentication Solutions for MENA Payments
Amid increasingly stringent payment security and user authentication requirements, particularly with the CBUAE’s new regulations, SAVYINT – a global technology leader in open banking, data security, and authentication solutions – is poised to partner with financial institutions and payment service providers across the MENA region.
SAVYINT delivers a comprehensive ecosystem of advanced strong authentication solutions, fully compliant with international standards and leveraging cutting-edge passwordless technologies to elevate user experience:
- Passwordless FIDO2: Utilizes the FIDO2 standard for secure authentication via biometrics or personal devices.
- PKI Passwordless: Leverages Public Key Infrastructure (PKI) to issue robust digital certificates, ensuring secure transactions and user identity with the highest reliability, meeting strong authentication requirements for payments and digital banking.
- SmartOTP Passwordless: Replaces traditional SMS OTPs with intelligent OTPs generated directly on users’ mobile devices, functioning offline and integrating biometrics, push authentication, and WYSIWYS for multilayered security and a seamless experience.
SAVYINT offers a robust suite of authentication solutions for payments and transactions:
- SAM Auth Server: A powerful authentication platform for digital and mobile payment transactions.
- SAM Appliance: An all-in-one solution for data encryption, digital signature authentication, and mobile identification.
- SAVYINT PKI In a Box: A tailored solution based on SAM Appliance, specialized for PKI, packaged in a hardware device with an accompanying Hardware Security Module (HSM).
- SAVYINT Mobile Identity/SDK: A digital identity platform for mobile electronic transactions, designed for cashless payments.
- Savyint CIAM/SCA – PSD2: Customer Identity and Access Management with Strong Customer Authentication, compliant with PSD2.
- Smart eKYC: Streamlined electronic Know Your Customer processes for secure onboarding.
By combining robust authentication technologies with strict adherence to international security standards such as FIDO2, PSD2, eIDAS, GDPR, and PCI DSS, Savyint’s solutions enable banks, fintechs, and service providers in MENA to rapidly deploy modern, flexible authentication platforms that integrate seamlessly with existing systems and fully comply with CBUAE regulations.
Connect with Savyint’s experts today to build a secure and compliant payment ecosystem.
