UAE Strong Authentication Mandate Signals Shift Away From OTPs in Financial Services

According to a recent LinkedIn post from Ideem, the Central Bank of the UAE (CBUAE) is moving to ban SMS and email one-time passwords (OTPs) for financial services by March 31, 2026. The post indicates that all licensed financial institutions, including banks, card issuers, acquirers, payment service providers, and stored value providers, will be required to adopt stronger authentication methods.

The company’s LinkedIn post highlights that acceptable alternatives include biometrics, cryptographic tokens such as passkeys, in-app verification, and behavioral biometrics. In contrast, SMS OTPs, email OTPs, and static passwords used alone are characterized as insufficient under the new rules.

As shared in the post, fraud related to 3D Secure (3DS) transactions that still rely on SMS OTP will now require full customer refunds with immediate effect. The post further suggests that Saudi Arabia’s earlier moves in this area helped set expectations, while the UAE’s decision now establishes a concrete deadline and accelerates the broader transition.

For investors, this regulatory shift implies a potentially significant reallocation of spending by regional financial institutions toward strong customer authentication technologies. Providers of biometrics, passkeys, and in-app verification solutions could see increased demand, while legacy OTP-based security vendors may face headwinds as their models become non-compliant.

The post also frames the UAE decision as part of a global move away from SMS and email OTPs, which may signal a structural trend in digital identity and payments security. If this trend continues, companies positioned in modern authentication and fraud prevention could benefit from multi-year investment cycles, while financial institutions will need to manage transition costs and implementation risk within tight regulatory timelines.