The Reserve Bank of India’s directive of a two-factor authentication for digital payments has come into effect from Wednesday. The move is aimed at curbing digital fraud by adding an additional layer of verification to protect account holders and prevent unauthorised transactions.
Under the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, all payment system providers and participants, including banks and non-bank entities, must authenticate digital payment transactions using at least two distinct authentication factors.
Industry sources said that this will also include UPI transactions. Currently, the mobile number linked with the user’s bank and UPI PIN are the two authenticating factors for UPI transactions..
The factors of authentication may comprise a password, SMS based OTP, passphrase, PIN, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based). The central bank had said that service providers will offer a choice of authentication factors to their customers in compliance with these directions.
The notification, however, had said that this additional authentication will not be applicable for certain transaction types like small value contactless card transactions, recurring transactions with electronic mandates (except the first) and select prepaid instruments. Domestic transactions will be covered initially, and banks and payment service providers are upgrading their systems to support two-factor authentication and add additional safeguards at the app and device level.
RBI has also directed card issuers to put in place a mechanism by October 1, 2026, to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer.
“OTPs have become deeply embedded in India’s financial ecosystem. But they only aim at establishing possession. If someone gains access to your SIM or tricks you into revealing it, it gives easy access to the fraudster to take control of your sensitive assets. In an ecosystem like UPI, where transactions settle in seconds, the only meaningful window to act is before the transaction is completed.
“Trust has to be established through context, by combining who you are, what you know, and what you have, and evaluating these signals in real time,” said Anil Tadimeti, director, strategy & regulatory affairs, Bureau, a digital risk management and fraud detection solutions provider.
Banks and payment service providers may undertake additional checks beyond the two-factor authentication.