According to a recent LinkedIn post from Ideem, the Central Bank of the UAE is moving to ban SMS and email one-time passwords for financial services, mandating “strong authentication” by March 31, 2026. The post cites biometric methods, cryptographic tokens such as passkeys, in-app verification, and behavioral biometrics as qualifying approaches, while SMS and email OTPs and standalone static passwords are described as noncompliant.
Claim 30% Off TipRanks
- Unlock hedge fund-level data and powerful investing tools for smarter, sharper decisions
- Discover top-performing stock ideas and upgrade to a portfolio of market leaders with Smart Investor Picks
The post also notes that for 3DS transactions, fraud involving SMS OTPs will now trigger full customer refunds with immediate effect. This shift suggests rising regulatory and liability pressure on banks, card issuers, acquirers, PSPs, and stored value providers to modernize authentication stacks and may increase near-term compliance and technology-integration costs.
According to the post, Saudi Arabia is portrayed as having “set the tone” and the UAE as having “set the deadline,” implying a broader regional regulatory trajectory away from OTP-based security. For investors, the described changes could accelerate demand for advanced authentication technologies and potentially benefit vendors positioned in biometrics, passkeys, and risk-based authentication, while raising obsolescence risk for legacy OTP-focused solutions.
The post’s framing that “the global shift away from OTPs is accelerating” points to a structural security trend rather than a one-off regulatory move. If this trend continues globally, financial institutions may face a multi-year transition that reshapes competitive dynamics in identity and fraud-prevention markets, with winners likely to be those offering scalable, compliant alternatives to SMS and email OTPs.