Starting July 25, 2025, banks across the UAE will begin a gradual phase-out of one-time passwords (OTPs) sent via SMS or email. Instead, in-app and biometric authentication will become the new standard for verifying transactions, with all UAE financial institutions required to comply by March 2026.
This transition, mandated by the UAE Central Bank, is aimed at strengthening digital banking security and reducing reliance on vulnerable channels that are frequently exploited by scammers.
Banks like Emirates NBD, ADIB, and First Abu Dhabi Bank are already moving ahead, replacing OTPs with real-time prompts in mobile apps that users can approve with a tap. Some banks have also integrated fingerprint and face ID verification, making the process not only more secure but also faster and more user-friendly.
The reason for this shift is straightforward: SMS OTPs are no longer considered safe. They’re susceptible to SIM-swap attacks, phishing scams, and delayed delivery — especially when users are travelling or dealing with poor mobile coverage. UAE banks have recorded growing incidents of fraud tied to stolen OTPs, with some customers losing entire savings to scammers who intercepted or tricked them into revealing codes.
The new system relies on secure app notifications and device-based confirmation. When making a transfer or online purchase, users receive a push alert from their bank’s app, showing transaction details with options to approve or decline. This eliminates the static code, gives users more control, and improves fraud detection. Authentication is typically protected by biometric login or device PIN, adding an extra layer of identity verification.
For higher-value or business accounts, some banks are also introducing advanced tools such as behavioral biometrics, soft cryptographic tokens, and hardware keys. Emirates Face Recognition — the UAE’s national facial ID system — is also expected to play a larger role in secure remote identification.
The Central Bank directive, issued in May 2025, requires all UAE banks to fully retire OTPs over SMS and email by March 31, 2026. While some banks may offer transitional grace periods, the long-term expectation is clear: the mobile app becomes the core gateway for approving any sensitive activity.
If you’re a customer, now is the time to ensure your bank app is updated and notifications are enabled. Set up fingerprint or facial recognition if supported. Learn how your bank handles transaction approvals inside the app — the days of switching between screens to find a 6-digit code are coming to an end.
Be prepared for situations like phone loss or upgrades. Most banks offer secure reactivation methods tied to your Emirates ID or in-branch verification, but it’s critical to act quickly if you lose device access. Make sure your app credentials are private and that no one else has biometric access on your device.
For customers without smartphones or who may face digital literacy barriers, some exceptions exist — like physical tokens for seniors — but these will be rare. The shift toward app-based banking is not optional; it’s the new default for digital security in the UAE.
This overhaul is part of a broader trend in global finance. Singapore and parts of Europe have already mandated similar changes. And in the UAE, regulators are emphasizing long-term protections like encrypted login systems, real-time threat detection, and passwordless technologies.
Ultimately, this isn’t just a technical update — it’s a necessary evolution. Replacing OTPs with smarter authentication will help protect customers from growing fraud threats and provide a faster, more seamless banking experience.
