TL;DR: The UAE central bank has ordered consumer-facing financial institutions to eliminate SMS and email OTPs and move toward phishing-resistant authentication, while also shifting liability for 3D Secure fraud involving SMS OTPs, according to Descope. Legacy OTPs no longer fail only at the login step, they now create direct operational and financial exposure.
NHIMG editorial — based on content published by Descope: UAE Central Bank Bans SMS & Email OTP: What You Need to Know
By the numbers:
- In 2024, the Monetary Authority of Singapore required retail banks to phase out SMS OTPs for customers who had already enabled digital tokens.
- The directive requires licensed financial institutions to phase out email and SMS OTP-based authentication methods by March 31, 2026.
- The National Financial Ombudsman Scheme reported a 73% increase in digital banking fraud complaints in early 2025.
Questions worth separating out
Q: How should security teams phase out SMS OTP without breaking customer access?
A: Start with the highest-risk journeys, especially payment approval and account changes, then move login and lower-risk flows.
Q: Why do SMS and email OTPs create so much risk in regulated banking?
A: They create risk because the factor can be intercepted, shared, or relayed by an attacker, so it does not prove possession of a trusted device or a legitimate session.
Q: What breaks when organisations keep static or shareable authentication methods in place?
A: What breaks is the assumption that the second factor privately binds the user to the session.
Practitioner guidance
- Map every remaining OTP dependency Inventory where SMS and email OTP are still used across mobile, web, call centre, and high-risk transaction flows, then rank those paths by liability exposure and fraud value.
- Move high-value flows to phishing-resistant factors Replace legacy OTP challenge steps with FIDO2 passkeys, in-app approvals, or cryptographic tokens for login and transaction approval.
- Join authentication and fraud telemetry Feed device posture, geolocation, velocity, and behavioural signals into the same decision engine that governs step-up or session suspension.
What's in the full article
Descope's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step breakdown of how to audit SMS and email OTP dependencies across mobile, web, call centre, and payment flows.
- Specific guidance on using FIDO2, biometrics, in-app approvals, and hardware or software tokens in consumer banking.
- Implementation examples for session suspension when malware, screen sharing, or remote access tools are detected.
- Practical migration tactics for phased rollout, customer communication, and A/B testing of compliant authentication flows.
👉 Read Descope's analysis of the UAE central bank's SMS OTP ban →
SMS OTP bans and phishing-resistant auth: what banks need now?
Explore further
SMS OTP has become a liability-bearing identity pattern, not just a weak factor. The UAE notice shows that once regulators align fraud reimbursement with authentication choice, the control conversation changes from convenience versus friction to loss containment and accountability. The practical conclusion is that consumer authentication decisions now sit directly inside fraud governance, not beside it.
Phishing-resistant authentication is becoming a governance floor, not a premium control. As regulators move against shareable factors, banks that keep SMS OTP in place will increasingly carry both compliance and fraud liability in the same control decision. The practical signal is that identity roadmaps should now budget for passkeys, in-app approval, and session risk control together, not as separate projects.
A question worth separating out:
Q: Who should be accountable when fraud occurs through an OTP-based flow?
A: Accountability should sit with the teams that own authentication policy, fraud monitoring, and customer reimbursement, because those controls now influence the same outcome. If the bank allows a weak factor in a high-risk flow, governance should treat that as a shared control decision, not a narrow IAM issue.
👉 Read our full editorial: UAE central bank ban on SMS OTPs raises the bar for auth