By NHI Mgmt Group Editorial TeamPublished 2025-10-02Domain: Governance & RiskSource: Descope

TL;DR: The UAE central bank has ordered consumer-facing financial institutions to eliminate SMS and email OTPs and move toward phishing-resistant authentication, while also shifting liability for 3D Secure fraud involving SMS OTPs, according to Descope. Legacy OTPs no longer fail only at the login step, they now create direct operational and financial exposure.


At a glance

What this is: This is a regulatory analysis of the UAE central bank’s SMS and email OTP ban and its push toward phishing-resistant authentication for consumer financial services.

Why it matters: It matters because IAM, PAM, and identity leaders now have a clear example of how fraud liability, session controls, and authentication method choice are converging across human and machine identity programmes.

By the numbers:

👉 Read Descope's analysis of the UAE central bank's SMS OTP ban


Context

SMS OTP is a weak second factor because it can be intercepted, relayed, or abused through phishing and SIM swap attacks, which makes it a poor fit for high-value financial authentication. The UAE central bank’s notice matters for identity security because it turns that technical weakness into a compliance deadline and a liability issue.

The broader pattern is clear. Once regulators treat shared or interceptable authentication methods as unacceptable, identity programmes have to move from code-based verification to phishing-resistant authentication, session monitoring, and risk-based step-up controls for consumer banking and related access journeys.


Key questions

Q: How should security teams phase out SMS OTP without breaking customer access?

A: Start with the highest-risk journeys, especially payment approval and account changes, then move login and lower-risk flows. Replace SMS OTP with phishing-resistant factors such as passkeys or in-app approvals, keep fallback tightly limited, and test migration by customer segment so the bank can manage friction while reducing fraud exposure.

Q: Why do SMS and email OTPs create so much risk in regulated banking?

A: They create risk because the factor can be intercepted, shared, or relayed by an attacker, so it does not prove possession of a trusted device or a legitimate session. In regulated banking, that weakness becomes more serious when fraud reimbursement or liability shifts to the institution.

Q: What breaks when organisations keep static or shareable authentication methods in place?

A: What breaks is the assumption that the second factor privately binds the user to the session. Phishing, SIM swapping, malware, and remote access abuse all exploit that gap, allowing attackers to satisfy the check without establishing real trust in the device or channel.

Q: Who should be accountable when fraud occurs through an OTP-based flow?

A: Accountability should sit with the teams that own authentication policy, fraud monitoring, and customer reimbursement, because those controls now influence the same outcome. If the bank allows a weak factor in a high-risk flow, governance should treat that as a shared control decision, not a narrow IAM issue.


Technical breakdown

Why SMS OTP fails as a phishing-resistant factor

SMS OTP depends on a channel that can be intercepted, redirected, or socially engineered, so it does not bind authentication to the user’s device or application context. In practice, attackers can phish the primary credential, capture the one-time code in real time, or abuse telecom weaknesses such as SIM swapping. That makes SMS OTP usable for convenience, but fragile for assurance. The security problem is not just message delivery, it is that the factor remains shareable and replayable under pressure.

Practical implication: retire SMS OTP from sensitive banking flows first, especially where fraud liability or high-value transactions are involved.

What phishing-resistant authentication changes for consumer banking

Phishing-resistant methods such as FIDO2 passkeys, in-app approvals, and hardware or software tokens tie the approval step to a trusted device or cryptographic credential. That changes the attack economics because a fake login page cannot easily extract a reusable secret. Biometric unlocks may improve usability, but the real control is the underlying device-bound cryptographic proof. For regulated banking, the value is not only stronger authentication, but better evidence that the user and the session were linked to a legitimate device.

Practical implication: prefer device-bound, cryptographic authentication for consumer access and transaction approval, not just stronger codes.

How session protection and risk scoring fit the mandate

The notice goes beyond login and into live session control. By requiring institutions to suspend sessions when malware, screen-sharing tools, or remote access software are detected, it treats an active device compromise as a risk condition that can invalidate the session itself. Real-time fraud detection then uses device, location, velocity, and behaviour signals to decide whether to stop or step up a transaction. That is a shift from static authentication to continuous context validation across the customer journey.

Practical implication: connect authentication, session risk, and transaction monitoring so suspicious activity can be blocked before fraud completes.


Threat narrative

Attacker objective: The attacker’s objective is to complete unauthorised account access or payment fraud while appearing to satisfy the bank’s authentication checks.

  1. Entry occurs when an attacker phishes or otherwise captures the user’s primary credentials and then intercepts the SMS OTP during the login or transaction step.
  2. Credential abuse follows when the attacker reuses the shared code or relays it in real time to satisfy the second-factor challenge and gain access.
  3. Impact occurs when the attacker completes fraudulent transfers or account actions before the bank’s detection logic or session controls stop the activity.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

SMS OTP has become a liability-bearing identity pattern, not just a weak factor. The UAE notice shows that once regulators align fraud reimbursement with authentication choice, the control conversation changes from convenience versus friction to loss containment and accountability. The practical conclusion is that consumer authentication decisions now sit directly inside fraud governance, not beside it.

Phishing-resistant authentication is now the baseline expectation for regulated consumer access. FIDO2, in-app approvals, and device-bound tokens matter because they reduce replay and interception risk in a way OTPs cannot. That does not solve all fraud, but it changes the assurance model from something the attacker can relay to something the attacker has to compromise at the device or cryptographic layer.

Step-up and session suspension are becoming part of the authentication control plane. The notice makes device compromise indicators operationally relevant during an active session, which means identity teams and fraud teams can no longer operate in separate lanes. The programme implication is that authentication policy, session telemetry, and transaction risk scoring now need one joined control model.

Shared or interceptable authenticators belong in the same failure bucket as other shareable credentials. SMS OTP, email OTP, and static passwords all rely on a trust assumption that the factor can be privately delivered and privately used. That assumption breaks under phishing, malware, and social engineering, so identity governance should classify these methods as exposure-prone rather than merely legacy. Teams should treat the migration away from them as a control reclassification exercise, not a UX upgrade.

Phishing-resistant auth and real-time fraud controls are converging into one governance domain. The more banks use device, location, and behaviour data to trigger step-up or suspension, the more identity assurance becomes an operational fraud control. Practitioners should therefore align IAM, fraud operations, and compliance reporting around the same event stream and the same customer risk decisions.

From our research:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same AI agents research.
  • For the wider identity governance context, see the Ultimate Guide to NHIs for lifecycle and access control patterns that help reduce exposure across machine identities and automated access.

What this signals

Phishing-resistant authentication is becoming a governance floor, not a premium control. As regulators move against shareable factors, banks that keep SMS OTP in place will increasingly carry both compliance and fraud liability in the same control decision. The practical signal is that identity roadmaps should now budget for passkeys, in-app approval, and session risk control together, not as separate projects.

Risk-based authentication will absorb more of the control burden that used to sit at the login screen. Once device, location, and behavioural signals are part of the decision, authentication becomes an ongoing security posture rather than a single check. That means practitioners need tighter integration between IAM policy, fraud analytics, and customer experience teams if they want to reduce both losses and friction.

The migration away from OTPs also sharpens the boundary between identity assurance and account recovery. If recovery flows still rely on weak factors, attackers will simply shift to the softer path, so teams should review the whole journey, not only the first login. For broader context on machine and automated access governance, the Ultimate Guide to NHIs remains the right baseline reference.


For practitioners

  • Map every remaining OTP dependency Inventory where SMS and email OTP are still used across mobile, web, call centre, and high-risk transaction flows, then rank those paths by liability exposure and fraud value. Prioritise 3D Secure and payment approval journeys first because those are the clearest regulatory pressure points.
  • Move high-value flows to phishing-resistant factors Replace legacy OTP challenge steps with FIDO2 passkeys, in-app approvals, or cryptographic tokens for login and transaction approval. Use the weakest remaining OTP flows only as temporary fallback while migration is in progress.
  • Join authentication and fraud telemetry Feed device posture, geolocation, velocity, and behavioural signals into the same decision engine that governs step-up or session suspension. Banks need one control loop that can stop an account action before a fraudulent transaction finalises.
  • Rework policy ownership across IAM and fraud teams Assign clear ownership for factors, session risk, and reimbursement-triggering events so compliance, identity, and fraud operations are not making separate decisions about the same customer action. A shared policy layer is essential when liability shifts before the final compliance date.

Key takeaways

  • The UAE notice turns SMS OTP from a convenience choice into a regulated liability decision, which changes how identity teams should evaluate legacy authentication.
  • Fraud trends and reimbursement rules now reinforce the case for device-bound authentication, session monitoring, and real-time risk scoring in the same control model.
  • Teams that treat OTP retirement as an authentication-only project will miss the operational link between fraud prevention, customer experience, and regulatory accountability.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1The article is about limiting weak authentication methods and strengthening access assurance.
NIST SP 800-63The move from OTP to phishing-resistant auth aligns with digital identity assurance guidance.
NIST Zero Trust (SP 800-207)PR.AC-4Continuous verification and session risk controls are central to the notice’s session-suspension model.

Map consumer authentication flows to PR.AC-1 and remove shareable factors from high-risk journeys.


Key terms

  • Phishing-resistant authentication: Authentication that cannot be easily captured and replayed by a fake login page or relay attack. It usually relies on device-bound cryptography, such as passkeys or hardware tokens, so the user proves possession of a trusted device rather than entering a reusable secret.
  • Risk-based authentication: An authentication approach that changes the challenge based on context such as device, location, behaviour, and transaction value. It is useful in banking because it lets security teams step up only the actions that look suspicious while keeping lower-risk access paths usable.
  • 3D Secure fraud liability: The financial responsibility attached to card-not-present fraud that occurs in a 3D Secure flow. When liability shifts to the institution, authentication decisions stop being a pure user-experience issue and become a direct driver of loss exposure and governance accountability.
  • Session suspension: A control that terminates or blocks an active session when compromise signals appear, such as malware, screen sharing, or remote access tools. It extends identity security beyond login by treating the live session as a security boundary that can become invalid mid-use.

What's in the full article

Descope's full article covers the operational detail this post intentionally leaves for the source:

  • A step-by-step breakdown of how to audit SMS and email OTP dependencies across mobile, web, call centre, and payment flows.
  • Specific guidance on using FIDO2, biometrics, in-app approvals, and hardware or software tokens in consumer banking.
  • Implementation examples for session suspension when malware, screen sharing, or remote access tools are detected.
  • Practical migration tactics for phased rollout, customer communication, and A/B testing of compliant authentication flows.

👉 Descope's full post covers compliance steps, session controls, and migration options for consumer banking teams.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-10-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org