The Reserve Bank of India (RBI) on Thursday announced that new digital payment regulations, permitting various ways to meet Two-Factor Authentication (2FA) requirements beyond the standard SMS one-time password, will come into force from April 1, 2026. RBI keeps 2FA mandatory, allows SMS OTP use in new digital payment rules. (PTI file)

Apart from SMS-based OTP, the factors of authentication can be from "something the user has", "something the user knows" or "something the user is" and may comprise, inter-alia, password, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based), the central bank said in its statement, cited in reports.

The updated framework promotes the use of biometrics, app-based tokens, and device-native authentication methods, placing responsibility on the issuers.

All Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with these directions by April 01, 2026, unless indicated otherwise for any specific provision herein

Banks and payment providers are required to implement alternative 2FA methods by April 2026 for domestic transactions and by October 2026 for cross-border payments.