India's Two-Factor Authentication Mandate Takes Effect as UPI Outages Hit Major Banks

The Reserve Bank of India's mandatory two-factor authentication requirement for all digital payments took effect on April 1, 2026. UPI services experienced widespread outages on the same day, with users at SBI, HDFC, and ICICI reporting failed transactions during financial year-end maintenance.

Every UPI, debit card, and mobile wallet transaction in India now requires at least two independent verification methods under the new mandate. Acceptable combinations include a PIN or password paired with a biometric scan, a registered device, or a dynamically generated code. At least one factor must be dynamically generated for each specific transaction.

State Bank of India extended scheduled maintenance until 12:30 PM on April 1. Over 500 user complaints were filed as UPI, YONO, and internet banking services went offline. Users in Delhi, Mumbai, Bengaluru, and Hyderabad reported failed payments and amounts debited without merchant confirmation. SBI advised customers to use UPI Lite, the eRupee CBDC app, and ATM services during the disruption.

The RBI plans to extend the two-factor authentication mandate to international card transactions by October 2026.