RBI Mandates Flexible Two-Factor Authentication for All Digital Payments from April 1

The Reserve Bank of India's new authentication framework takes effect on April 1, 2026, requiring every domestic digital payment transaction to include two distinct factors of authentication. The directions apply across all channels including UPI, card payments, internet banking, and mobile wallets, marking one of the most comprehensive authentication overhauls in the country's digital payments history.

Under the new framework, at least one authentication factor must be dynamic, meaning it is unique to each transaction. Acceptable methods include biometric verification through fingerprints or Aadhaar-based checks, device tokens, cryptographic keys, passphrases, and PINs. One-time passwords sent via SMS remain a permitted option but are no longer treated as the sole or default method, reflecting the regulator's recognition that SIM-swap fraud and OTP interception have become significant vulnerabilities in India's digital payment ecosystem.

The framework introduces a risk-based approach that gives payment service providers discretion to apply authentication methods appropriate to the transaction's risk profile. Issuers may implement additional checks beyond the minimum two factors when their internal risk assessment identifies elevated fraud probability. This flexibility allows institutions to balance security with user experience, particularly for low-value routine transactions where excessive friction could discourage adoption.

Certain transaction categories receive exemptions from the full two-factor requirement. Small offline payments, pre-approved recurring e-mandates, and transit-related transactions will continue to operate under their existing authentication arrangements. For cross-border card-not-present transactions, the RBI has set a separate deadline of October 1, 2026, by which card issuers must establish systems to validate non-recurring transactions whenever an overseas merchant or acquirer requests authentication.

The practical impact on UPI, which processed 20.39 billion transactions in February 2026 alone, will depend on how quickly payment apps integrate the new authentication options. The existing UPI PIN mechanism already satisfies the something-you-know factor, and most modern smartphones provide the something-you-have factor through device binding. For IMPS, NEFT, and RTGS transactions processed through internet and mobile banking, the shift away from SMS-OTP toward app-based or biometric authentication should reduce transaction failures caused by delayed or undelivered text messages, particularly in areas with unreliable mobile coverage.

The directions represent the culmination of a process that began with the RBI's circular issued in September 2025, which outlined the new authentication principles and gave the industry a six-month implementation window. Banks and payment aggregators have spent the intervening months upgrading their authentication infrastructure, with the April 1 deadline now set to bring the entire ecosystem into compliance simultaneously.