RBI: If you shop online, pay bills via UPI, or transfer money digitally, prepare for a significant change. The Reserve Bank of India (RBI) is implementing mandatory two-step authentication (2FA) for digital payments starting April 1, 2026. This initiative aims to minimize online fraud and enhance the security of digital transactions.
What changes will take effect from April 1?
Beginning April 1, 2026, a single OTP (one-time password) will no longer suffice for online transactions. The RBI has stipulated that every digital payment must now undergo at least two distinct and independent verification factors.
This means that merely entering the OTP during a payment will not finalize the transaction. You will need to complete an additional security step.
The authentication methods may include:
– password or passphrase
– PIN (Personal Identification Number)
– Biometrics such as fingerprint or facial recognition
– Software tokens generated in banking applications
– Hardware tokens that produce unique security codes
– SMS-based OTP (which will now serve as just a security layer)
Consequently, every transaction will now require at least two layers of security. This will significantly hinder unauthorized access to your account. Credit card transactions already utilize 2FA.
In its guidelines released on September 25, the RBI stated that the credentials used to verify a customer’s identity can fall into three categories:
– something the user possesses
– something the user knows
– something inherent to the user
These may encompass passwords, SMS OTPs, passphrases, PINs, card hardware, software tokens, fingerprints, or other forms of biometric identification.
How will 2FA function?
Two-factor authentication (2FA) necessitates that you undergo two distinct security checks to complete a transaction. For instance, when processing a payment, you might first be required to enter an OTP followed by a PIN.
Likewise, in many instances, devices can be recognized through biometric verification, such as fingerprint or facial recognition. Some platforms may also implement token-based authentication alongside passwords.
Why did trust in OTP decrease?
Previously, India’s digital payment system relied largely on OTPs for security. Initially, this method was considered quite secure, but over time, frauds such as phishing, SIM swaps, and malware increased, making OTPs a single security tool vulnerable. OTPs also often experienced delays. This is why the RBI has now decided to mandate two-tier security.
According to Amit Kumar, CTO and Director of Easebuzz, the additional security layer may make transactions take a little longer and the process more complicated. However, it will significantly reduce the risk of fraud and promote secure digital payments.
Banks will be held responsible for not implementing the rules
The RBI has made it clear that banks will be held responsible if the prescribed security measures are not implemented and fraud occurs as a result. This means: If a system error is discovered, customers may receive compensation. Banks will not be able to put the entire responsibility on the customers. Banks and financial institutions will have to strengthen their security systems further. According to Harsh Vardhan Masta, Head of Payments at Policybazaar, if fraud occurs due to non-compliance, banks and fintech companies will be held accountable. This will allow customers to receive compensation faster and ensure greater security of their money.
Rules will also apply to international transactions
The RBI has also directed that similar security rules be applied to international online transactions, particularly card not present (CNP) transactions, i.e., transactions where the card is not used at a machine but is paid for online. These rules will come into effect from October 1, 2026, so that international digital payments can be made with the same level of security as domestic transactions in India.
