SMS OTP bans and passkeys: what should IAM teams change?

TL;DR: The CBUAE will end SMS and OTP for UAE financial institutions by March 2026, pushing banks toward phishing-resistant passkeys that reduce fraud, user friction, and operational cost, according to HYPR. The real issue is not the authentication factor itself but the governance shift from legacy, interceptable credentials to device-bound assurance that changes how IAM, CIAM, and step-up controls are designed.

NHIMG editorial — based on content published by HYPR: The CBUAE's SMS and OTP Ban is a Golden Opportunity

By the numbers:

• By March 2026, the era of the SMS and One-Time Passwords will be over for the nation's financial institutions.

Questions worth separating out

Q: How should security teams replace SMS OTP in banking authentication?

A: Start by moving the highest-risk customer journeys to phishing-resistant passkeys, then redesign recovery, device binding, and step-up for sensitive actions.

Q: Why do SMS and OTP fail for high-risk financial access?

A: They fail because the code is only as trustworthy as the delivery channel.

Q: What do teams get wrong about passwordless customer authentication?

A: They often focus on login convenience and ignore recovery, fallback, and transaction step-up.

Practitioner guidance

• Retire SMS and OTP from high-risk flows Remove SMS and OTP from customer journeys where account takeover or transaction fraud would create material loss, and keep only narrowly justified exceptions with documented risk acceptance.
• Redesign recovery before rollout Map how customers will recover access when they lose a device, fail biometric validation, or cannot complete registration, because recovery paths are where weak factors tend to re-enter the stack.
• Bind step-up controls to transaction risk Use passkeys for sign-in and for high-value actions such as beneficiary changes, payment approval, or profile edits, so assurance rises when business impact rises.

What's in the full article

HYPR's full blog post covers the operational detail this post intentionally leaves for the source:

• The specific CIAM and SDK integration paths the vendor describes for passkey rollout across customer channels
• Examples of how HYPR frames biometric step-up for sensitive transactions and customer onboarding
• The vendor's implementation narrative for reducing SMS delivery and password-reset burden at scale

👉 Read HYPR's analysis of the CBUAE SMS and OTP ban →

SMS OTP bans and passkeys: what should IAM teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →