RBI Makes Two-Factor Authentication Mandatory For All Digital Transactions From April 1

Every digital payment in India will require two-factor authentication from April 1, 2026, following a Reserve Bank of India mandate issued in September 2025 — ending the era of single OTP verification and significantly raising the security bar for online and point-of-sale transactions.

Under the new framework, relying solely on a One Time Password to authenticate a transaction will no longer be acceptable. All digital payments must be verified using at least two separate and independent factors drawn from the following options: PIN combined with OTP, biometric verification such as fingerprint or face recognition paired with device binding, a virtual token generated within a banking app, or a static password combined with an additional authentication layer. Two-factor authentication is already in place for credit card transactions — the RBI is now extending this standard universally across all digital payment modes.

In a practical scenario, a customer using a debit card at a point-of-sale terminal will now need to enter their PIN and provide a separate OTP or biometric confirmation before the transaction is approved — adding a second verification layer that was previously optional for many payment types.

The mandate comes in direct response to a surge in financial fraud involving phishing attacks, SIM swap scams, and OTP interception — cases in which fraudsters obtain OTPs sent to victims' phones and drain their bank accounts. The RBI's guidelines also clarify that similar two-factor authentication rules will be extended to international card-not-present transactions by October 1, 2026.