RBI Mandates Two-Factor Authentication For Digital Payments

SUMMARY

RBI has made two-factor authentication (2FA) mandatory for all digital transactions from April 1, 2026

The new framework aims to strengthen digital payment security while enabling smoother and more flexible processes in a rapidly digitising environment

All payment service providers and partners are required to adhere to the new directions for domestic payments

A year after proposing alternate methods of additional factor of authentication (AFA) for digital transactions, the Reserve Bank of India (RBI) has released new directions, making two-factor authentication (2FA) mandatory for all digital transactions from April 1, 2026.

An AFA requires the use of more than one factor for authentication of a payment instruction. The new framework aims to strengthen digital payment security while enabling smoother and more flexible processes in a rapidly digitising environment.

“The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based),” the RBI said in a notification.

As no specific factor was mandated for authentication, the digital payments ecosystem has been using SMS-based OTP as the additional factor for authentication for digital transactions till now. The new norms aim to facilitate the use of innovative authentication mechanisms that have emerged over the past few years.

“Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions,” the notification added.

All payment service providers and partners are required to adhere to the new directions for domestic payments.

However, the new rules won’t apply to cross-border transactions. But card issuers will be required to set up systems that check and confirm international online card payments when foreign merchants or payment companies request authentication by October 1, 2026.

The new rules don’t call for discontinuation of SMS-based OTP as an authentication factor, the RBI added.

The central bank said that at least one of the factors of authentication should be dynamically created or proven, which means it should be unique for that transaction, for all digital payment transactions except those which are carried out through the physical use of a card at the point of transaction.

The development comes at a time when financial frauds and cyber frauds are on the rise in the country. Indians lost INR 107.21 Cr to cyber frauds in the first nine months of FY25.