RBI 2FA Payment Authentication Rules from April 2026

From 1 April 2026, every digital payment in India must still pass two-factor authentication, but SMS OTP is no longer the only allowed method. Banks may also use biometrics, passkeys, app approvals or hardware tokens, as long as two factors are used and, for non-card-present payments, at least one factor is created fresh for that transaction.

This does NOT mean OTP-free payments. Authentication is not abolished. The Reserve Bank of India has made the rules technology-neutral, so the SMS OTP you use today remains perfectly valid. The change simply lets your bank offer safer or smoother alternatives.

If you are short on time, jump to “What you should do” below to see the few practical steps that matter for you as a customer.

The instrument is the Reserve Bank of India Authentication Mechanisms for Digital Payment Transactions Directions, 2025. The RBI issued it on 25 September 2025. The compliance date for domestic digital payments is 1 April 2026.

The core principle is simple. Two factors must authenticate every digital payment transaction. For a non-card-present transaction, such as an online or in-app payment, at least one of those two factors must be dynamic. A dynamic factor is one created fresh for that single transaction, for example an OTP, an app-generated code, a passkey or a live biometric prompt. A static credential alone, like a saved password, is not enough on its own.

The framework is risk-based. For a suspicious or high-risk transaction, your bank or payment provider may ask for extra authentication beyond the basic two factors.

The biggest myth is that the rule removes OTP. It does not. The table below shows the real shift: from one de-facto method to a choice of compliant methods.

Read the table once more if you skimmed: two-factor authentication is still compulsory. The rule widens the menu of factors, it does not let you pay with nothing.

There is a separate timeline for cross-border card-not-present payments. For non-recurring cross-border card-not-present transactions, card issuers in India must validate an Additional Factor of Authentication when the overseas merchant or acquirer asks for it. The cross-border timeline is 1 October 2026, later than the 1 April 2026 domestic date. Keep the two dates distinct.

You do not need to apply for anything. Your bank handles the change. A few practical steps still help.

1. Keep your registered mobile number active so OTP-based authentication keeps working as a fallback.
2. When your banking app offers to set up a passkey, app approval or biometric login, accept it. These are the new compliant dynamic factors.
3. Do not share any OTP, passkey approval or biometric prompt with anyone. The rule strengthens security; social engineering still defeats it if you approve a stranger's payment.
4. Remember that small-value contactless card payments up to Rs 5,000 per transaction can still be done without an additional factor under existing RBI norms. This is an established exemption and is unchanged by the principle.
5. For recurring e-mandates and certain small-value flows, existing RBI exemptions continue to apply.

Dr. Shrawan Kumar Pathak pays for a streaming subscription through his bank app. Before April 2026 he typed an SMS OTP every time. After the new framework starts, his bank lets him approve the same payment with a fingerprint inside the app. That fingerprint is his dynamic factor, generated fresh for that transaction, paired with his logged-in device as the second factor. He is still using two-factor authentication. He simply skipped the OTP wait, with no drop in safety.

You can use the RTI Act 2005 to get clarity from the regulator, but apply it to the right body.

The RBI is a public authority, so an RTI application to the RBI works well. You can ask for the text of the Authentication Mechanisms Directions 2025, any frequently asked questions the RBI has published, and the policy reasoning behind the change. Frame your request narrowly and factually for a faster reply.

Private banks are generally not public authorities, so an RTI to your private bank is limited. For an actual transaction dispute, such as an unauthorised debit or a failed authentication, the correct route is the RBI Integrated Ombudsman scheme, RB-IOS 2021, after you first complain to your bank.

To draft a clean RTI to the RBI, use the AI RTI Drafter. Track your 30-day reply clock with the Timeline Tracker. If the reply is vague, run it through the PIO Reply Checker before you escalate, and prepare your next move with the First Appeal Builder. For the full method, read The RTI Playbook.

No. This is the most common misunderstanding. Two-factor authentication stays mandatory for every digital payment. The rule only allows alternatives to SMS OTP, such as biometrics, passkeys or in-app approval. SMS OTP itself remains a valid method, so nothing breaks if your bank keeps using it.

The domestic compliance date is 1 April 2026. The Directions were issued by the RBI on 25 September 2025. A separate timeline of 1 October 2026 applies to additional-factor validation for non-recurring cross-border card-not-present transactions.

A dynamic factor is an authentication element created fresh for a single transaction. Examples are a one-time password, an app-generated code, a passkey approval or a live biometric prompt. A saved password is static, so for a non-card-present payment at least one of the two factors must be dynamic.

No application is needed. Your bank and payment provider implement the change. You only need to keep your registered mobile number active and accept new options like passkeys or biometric approval when your app offers them.

Small-value contactless card payments up to Rs 5,000 per transaction can still be done without an additional factor. This is an existing RBI norm and is not removed by the new principle. Certain recurring e-mandates also keep their existing exemptions.

Yes. The RBI is a public authority under the RTI Act 2005. You can request the Directions text, any official FAQs and the policy reasoning. The PIO must reply within 30 days. RTI to a private bank is limited, so use the RBI Integrated Ombudsman for transaction disputes.

Possibly. The framework is risk-based. For a transaction that looks suspicious or high-risk, your bank or payment provider may add authentication beyond the basic two factors. This is a safeguard against fraud, not a routine extra step for normal payments.

No. The rule is technology-neutral and does not ban any single method. SMS OTP remains a fully valid second factor. Banks may offer newer options alongside it, but they are free to continue using OTP where they choose.

1. Check that your registered mobile number with your bank is current.
2. Open your main banking app and enable any offered passkey, biometric or in-app approval.
3. If you have a pending payment dispute, note your bank complaint date so you can escalate to the RBI Ombudsman if needed.
4. If you want the official text, draft an RTI to the RBI using the AI RTI Drafter linked above.

• Pre-sanctioned credit line on UPI
• Credit card fraud and provisional credit reversal
• Reverse a duplicate debit entry
• Auto-debit continues after card replacement
• RBI Integrated Ombudsman walkthrough

• Reserve Bank of India, press release and Authentication Mechanisms for Digital Payment Transactions Directions, 2025, dated 25 September 2025, rbi.org.in
• Business Standard, RBI issues directions on authentication mechanisms for digital payment transactions, 25 September 2025
• KPMG India, analysis of the RBI Authentication Mechanisms Directions 2025