The Central Bank of the UAE (CBUAE) has set a March 2026 deadline for banks and financial institutions to end the use of SMS and email-based one-time passwords (OTPs). The move, part of the country’s push toward modern digital identity systems, aims to combat rising fraud, reduce costs, and introduce advanced authentication methods such as passkeys and biometrics.
The directive and its timeline
The CBUAE directive requires all licensed financial institutions in the country to phase out traditional OTPs by March 31, 2026. The transition begins on July 25, 2025, when customers will start noticing new verification methods for online and mobile transactions.The decision follows a sharp rise in banking fraud across the UAE. In the first months of 2025, complaints related to digital banking scams rose by 73 percent, highlighting the weaknesses of SMS and email OTPs. These codes, once considered a reliable security measure, have become increasingly vulnerable to phishing, SIM-swapping, and social engineering attacks.By mandating stronger solutions, the central bank seeks to align the UAE with global best practices in cybersecurity while reinforcing its reputation as a hub for financial innovation.
Why OTPs are being phased out
For years, SMS and email OTPs have been the default layer of security for online banking. While convenient, they are now seen as outdated. Fraudsters can intercept OTPs through fake websites, duplicate SIM cards, or by tricking users into sharing codes.The vulnerabilities have reached a point where regulators view OTPs as a liability. By eliminating them, the UAE joins a global shift toward passwordless authentication. Major technology companies, including Meta, have already adopted passkeys — cryptographic keys stored on a user’s device and secured by biometrics like fingerprints or facial recognition.Passkeys provide instant, phishing-resistant authentication. They are tied cryptographically to a specific app or website, meaning even a well-crafted fake banking portal cannot trick the system. Unlike OTPs, there is no code to steal, intercept, or expire.
What will replace OTPs
Banks are expected to roll out a mix of technologies designed to be both secure and seamless:
- Passkeys based on global FIDO standards, secured by smartphone biometrics.
- Facial and fingerprint recognition, already being adopted by institutions like
United Arab Bank , which has partnered withEmirates Face Recognition for mobile banking logins. - UAE Pass integration, part of the country’s broader digital identity framework, with private providers such as Lleida.net supporting the system.
- Risk-based authentication, where small actions like checking balances require a quick
biometric scan, while larger transactions may trigger additional checks. - Behavioural biometrics, monitoring typing patterns, swiping gestures, or how a device is handled, adding invisible layers of security.
- Emerging safeguards such as AI-powered deepfake detection, decentralised identity systems, hardware security keys, and even post-quantum cryptography to prepare for future threats.
These measures not only block fraud at its source but also improve convenience for customers who often face delays with OTP messages or struggle with expired codes.
Impact on Banks and customers
The transition will not be a simple compliance task. It represents one of the most consequential technology shifts for the UAE banking industry in decades.
- For banks, the change means heavy investment in new authentication infrastructure but also cost savings in the long run. Sending millions of SMS messages every month is expensive, and OTP-related queries take up significant call-centre time. By moving to passwordless systems, banks can cut operational costs and focus on innovation.
- For customers, the biggest change will be how they log in and authorise payments. Instead of typing in codes, they will use fingerprints, face scans, or other built-in device features. The result is
faster logins, fewer failed transactions, and peace of mind that their credentials cannot be stolen through phishing. - For the wider ecosystem, the directive could strengthen consumer trust in digital banking and accelerate adoption of online services. Analysts say it is not just a regulatory change but a strategic inflection point for the UAE’s financial sector.
Global context and the road ahead
The UAE’s decision reflects an international trend. Banks in the United States and Europe have already deployed passwordless logins for millions of customers, reporting sharp drops in fraud and improved satisfaction. By setting a clear March 2026 deadline, the CBUAE ensures that the UAE will be among the first in the region to fully embrace the passwordless era.Experts caution that customer acceptance will be crucial. Many people are accustomed to OTPs, and some may feel uneasy about replacing them with biometrics. Banks are therefore expected to run awareness campaigns, emphasising that biometric data never leaves the device and cannot be stolen.As one UAE banking executive put it: “What feels like a big change is actually a win-win: stronger protection and less hassle.”With less than two years before the final phase-out, the countdown has already begun. Institutions that adopt the new systems early will set the benchmark for security and customer experience, while laggards risk losing trust.
Explainer : What customers need to know
- Deadline: SMS and email OTPs will disappear by March 2026.
- What replaces them: Biometric passkeys (fingerprint or face scan), UAE Pass, or device-based cryptographic keys
- Why it’s safer: Passkeys cannot be intercepted or reused, unlike OTPs. Your biometric data never leaves your phone.
- Added protections: For larger transactions, you may be asked for an extra biometric check or verification through behavioural analysis.
- Benefits: Faster logins, fewer delays, lower risk of fraud, and less reliance on SMS networks.
In short, the next time you log into your UAE bank account, your face, finger, or device itself will become your password.
