Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SMS OTP phase-out in India and the UAE: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: India and the UAE are moving away from SMS OTP as a primary authentication method, with India mandating two-factor transaction checks from April 2026 and the UAE requiring a full phase-out by March 2026, according to Authsignal. The shift reflects a broader move toward phishing-resistant authentication that reduces interception and SIM-swap exposure.

NHIMG editorial — based on content published by Authsignal: India and the UAE are phasing out SMS OTP

By the numbers:

Questions worth separating out

Q: How should security teams phase out SMS OTP without breaking customer access?

A: Start by separating login, recovery, and transaction approval.

Q: Why does SMS OTP create more risk in banking and payments than many teams assume?

A: Because the trust boundary sits outside the application.

Q: What breaks when SMS OTP remains the fallback after stronger authentication is deployed?

A: The programme looks modern at the front door but stays vulnerable in recovery and exception paths.

Practitioner guidance

  • Map every SMS OTP dependency Inventory where SMS still appears in login, step-up, recovery, transaction approval, and exception handling.
  • Prioritise phishing-resistant authentication for high-risk flows Move passkeys, device-bound tokens, or in-app approvals into payment authorisation and account recovery before less critical user journeys.
  • Redesign recovery before decommissioning OTP Review password reset, SIM-change, device-loss, and account takeover recovery journeys separately from sign-in.

What's in the full article

Authsignal's full article covers the operational detail this post intentionally leaves for the source:

  • Country-by-country implementation specifics for India, the UAE, Singapore, Malaysia, and the Philippines
  • The exact authentication alternatives banks are using, including biometrics, soft tokens, and in-app approvals
  • The fraud and cost figures behind each regional policy shift
  • The practical trade-offs between WhatsApp OTP, SMS OTP, and stronger phishing-resistant methods

👉 Read Authsignal's analysis of SMS OTP phase-outs in India and the UAE →

SMS OTP phase-out in India and the UAE: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

SMS OTP created a channel trust problem, not just a user experience problem. The control assumes the phone-number delivery path is trustworthy enough to carry an authentication factor, but modern fraud techniques break that assumption routinely. Once the number can be swapped, spoofed, or intercepted, the factor no longer proves user possession in any meaningful way. Practitioners should stop treating delivery convenience as evidence of security maturity.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means hidden access remains a persistent governance blind spot.

A question worth separating out:

Q: Who is accountable when regulators require stronger authentication than SMS OTP?

A: IAM, fraud, digital product, and risk leaders share accountability because the control spans customer experience and financial loss prevention. In regulated environments, the organisation must show that weaker channels were reduced, monitored, or retired in line with policy and supervisory expectations.

👉 Read our full editorial: India and the UAE are phasing out SMS OTP for auth



   
ReplyQuote
Share: