India Replaces Rigid OTP Mandate with Risk-Based Two-Factor Authentication for All Digital Payments from April 2026

The Reserve Bank of India's comprehensive digital payment authentication framework takes effect on April 1, 2026, fundamentally restructuring how payment security is implemented across the world's largest real-time payments market. Published on September 25, 2025, the guidelines require all domestic digital payment transactions to be secured by at least two distinct factors of authentication, while granting issuers substantially more flexibility in how those factors are deployed.

The new framework represents a decisive move away from India's longstanding reliance on SMS-based one-time passwords as the primary additional factor of authentication. For years, the SMS OTP served as the default second factor for virtually all Indian digital payments, a model that proved both friction-heavy for consumers and increasingly vulnerable to SIM-swap attacks, SS7 network exploits, and social engineering. Under the new rules, payment service providers may select from a broader set of authentication mechanisms including passwords, PINs, hardware and software tokens, device-native biometrics, and Aadhaar-based biometric verification. The critical constraint is that at least one authentication factor must be dynamic and unique to each transaction, ensuring that compromise of a single factor does not defeat the overall payment security chain.

The risk-based calibration provisions are perhaps the most significant operational change. Issuers are now permitted to use contextual data including device reputation scores, IP geolocation, transaction history patterns, and behavioral analytics to determine the appropriate level of verification for each payment. A routine low-value transfer from a recognized device to a previously paid beneficiary may proceed with lighter authentication, while an unusual high-value transaction from an unfamiliar device would trigger enhanced verification. This tiered approach acknowledges what the industry has long argued: that uniform rigid authentication requirements impose disproportionate friction on low-risk payments without commensurate security benefit.

The framework's scope is comprehensive, covering card transactions, Unified Payments Interface payments, net banking transfers, and wallet transactions. Given that India's UPI system alone processed over fourteen billion transactions in a single month during 2025, the operational implications of the transition are enormous. Payment service providers have had approximately eighteen months since the guidelines were published to redesign their authentication flows, integrate new factor types, and build or procure the risk-scoring infrastructure required for contextual assessment.

Cross-border transactions are addressed under a separate and later timeline. From October 1, 2026, card issuers will be required to validate additional factor authentication for non-recurring cross-border card-not-present transactions whenever an overseas merchant or acquirer requests such verification. This provision extends India's authentication requirements into the international domain while acknowledging the practical constraints of cross-border payment flows, where the acquirer-side infrastructure to support additional factor challenges varies significantly across markets.

The April 1, 2026 effective date arrives with no further extension anticipated. The RBI evidently concluded that eighteen months provided sufficient preparation time given the infrastructure already in place across India's digital payments ecosystem, though the shift from prescriptive to risk-based authentication represents a fundamental change in regulatory philosophy that will test the fraud management capabilities of smaller payment service providers in particular.