The Reserve Bank of India has mandated two-factor authentication for all types of digital payments in the country starting from April 1, 2026, with a view of strengthening the security of transactions.
According to the RBI, at least one form of authentication for a transaction is required to be dynamically created or proven. This implies that the proof of possession of this authentication should be unique to that transaction.
According to new guidelines, authentication measures include password, SMS based OTP (One Time Password), passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based).
Currently, authentication on digital payments rely on SMS and OTP. With the new rules, more measures including biometrics can be implemented. However, the RBI stated that the new rules do not call for discontinuation of SMS based OTP as an authentication factor.
'All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor,' the RBI said.
The factor of authentication should be such that compromise of one factor does not affect reliability of the other. 'The guidelines focus on 'encouraging introduction of new factors of authentication by leveraging upon technological advancements. Enabling issuers to adopt additional risk-based checks beyond the minimum two-factor authentication based on the fraud risk perception of the underlying transaction,' RBI added.
It also mandates card issuers to validate AFA (additional factor of authentication) in non-recurring cross-border CNP (card-not-present) transactions whenever such a request is raised by the overseas merchant or acquirer.
"The recently released AFA Directions strike an important balance between consumer security and innovation. We truly appreciate the regulator's consideration of industry feedback. The clarity and flexibility provided will enable issuers and payment players to embrace next-generation tools like biometrics, tokenization, and contextual risk checks," said Vishwas Patel, Chair, Payments Council of India and Joint Managing Director, Infibeam Avenues.
-- Ajinkya Kawale, Business Standard
© 2026 Rediff.com - Advertise with us - Disclaimer - Privacy Policy - Sitemap - Feedback - About us - Terms of use - Grievances
