U.A.E. Strong Authentication Mandate Signals Shift Away From SMS OTPs

According to a recent LinkedIn post from Ideem, the Central Bank of the U.A.E. is moving to ban SMS and email one-time passwords for financial services, mandating “strong authentication” by March 31, 2026. The post cites requirements for banks and other licensed institutions to adopt methods such as biometrics, cryptographic tokens including passkeys, in-app verification, or behavioral biometrics.

The post further notes that SMS and email OTPs, as well as static passwords used alone, no longer qualify as sufficient security factors under the new regime. It also highlights that fraud in 3DS transactions involving SMS OTPs now triggers a requirement for full customer refunds, which the post says is effective immediately.

According to Ideem’s commentary, Saudi Arabia’s earlier move on authentication standards is seen as setting the tone, while the U.A.E. is described as setting a firm deadline. The post suggests that this regulatory change reflects and accelerates a global shift away from OTP-based authentication, implying growing regulatory and commercial pressure on legacy authentication models.

For investors, these developments may signal increased demand for advanced authentication technologies, including biometrics, passkey infrastructure, and in-app verification solutions. Vendors already positioned in these areas, or capable of helping financial institutions meet the 2026 deadline and comply with refund obligations around 3DS fraud, could see expanded addressable markets in the Gulf region and beyond.

The stronger liability framework around 3DS fraud could also increase banks’ incentives to invest in more robust fraud-prevention tools and customer-authentication upgrades. More broadly, the post points to tightening regulatory standards that may raise compliance costs for financial institutions but also open opportunities for cybersecurity and digital-identity providers competing to replace SMS and email OTPs globally.