The Central Bank of the UAE (CBUAE) is preparing to phase out SMS-based One-Time Passwords (OTPs) in favor of stronger, more future-ready authentication methods.
For UAE Banks and fintechs, this moment marks a critical crossroad: apply temporary, outdated patches or leapfrog directly into a quantum-safe, seamless digital identity framework. The choice will define competitive advantage in a market where both regulation and customer trust are tightening.
Regulatory Momentum and the Fall of OTPs
The CBUAE’s upcoming changes reflect a global trend. Across Europe, PSD2 and eIDAS have already driven the move from vulnerable SMS OTPs toward stronger electronic authentication. The UAE follows suit, pushing banks and fintechs to adopt secure, compliant mechanisms that resist phishing, SIM swapping, and man-in-the-middle attacks.
The urgency isn’t only regulatory. Customer anxiety over banking fraud is rising, fueled by frequent headlines about account takeovers and social engineering scams. An escalating wave of sophisticated cyber threats across the region underscores that SMS OTPs are no longer a viable security measure.
Recent reports from the region highlight the growing sophistication of cyber threats, making it clear that SMS OTPs are no longer fit for purpose. (Article 1, Article 2)
Post-Quantum Authentication, From Optional to Inevitable
The looming quantum threat may seem far away, but for UAE banks and fintechs, the countdown has already begun. In mid-2024, the US National Institute of Standards and Technology (NIST) released the first set of post-quantum cryptography (PQC) standards, designed to replace RSA and ECC, the public-key algorithms that will be broken once quantum computing reaches maturity. UAE regulators are closely tracking these global developments, and with “crypto-break” forecasts as early as 2030, institutions that delay action risk both operational disruption and compliance pressure.
For the first time, Gartner® mentions post-quantum authentication in their Hype Cycle™ for Digital Identity, 2025, placing it into the Innovation Triggers with an expected time to the plateau of productivity of 2-5 years. The research states that "By 2029, advances in quantum computing will weaken and break the conventional asymmetric cryptography that underpins many authentication methods."
Forward-looking financial institutions in the UAE can get ready for this emerging technology trend, bypass “short-term fixes”, and move directly to authentication frameworks built with PQC and crypto-agility, demonstrating to customers, partners, and the Central Bank that security here is not just a box-ticking exercise, but a strategic advantage in an increasingly digital, regulation-driven market.
Mapping the Transition Beyond OTPs
Comparative Assessment: SMS OTP vs. Phishing-Resistant MFA with Post-Quantum Cryptography (PQC)
Steps to Transition:
- Map out the impact on your existing authentication and various user categories.
- Ensure stakeholder buy-in by summarizing the quantum threat and providing additional, short-term benefits.
- Select your migration path to post-quantum authentication (PQA) that is most suitable for your case.
- Plan your migration timeline, execute necessary IT projects and migrate users to PQA.
- Monitor operations and keep up with upcoming updates in cryptography.
Wultra’s Role in Securing the Future
Wultra enables banks and fintechs to move beyond OTPs into post-quantum authentication (PQA) that meets both current and future regulatory expectations. Based on NIST-approved next-generation standards for post-quantum cryptography (PQC), it protects logins, transactions, and approvals from today’s cyber risks, but also from the quantum attacks forecast for the next decade.
Already securing banks and fintechs in more than 20 countries, Wultra delivers a hassle-free migration path, integrating post-quantum authentication into existing apps without costly multi-phase overhauls. By making the transition now, we are ready to help UAE banks and fintechs future-proof their security, strengthen their compliance posture, and ensure customer trust in the quantum era.
Gaining the Edge That Lasts
The shift away from OTPs is more than a regulatory change — it’s a chance for UAE banks and fintechs to get ahead of the security curve. Those who adopt post-quantum authentication today aren’t just securing transactions. They’re building resilience, trust, and market differentiation, gaining the edge that lasts for decades.
.webp)