The Central Bank of the UAE issued a new directive requiring all financial institutions to eliminate SMS and email-based one-time passwords (OTPs) by the end of March 2026. With fraud on the rise and the deadline now in effect, banks across the UAE are accelerating the adoption of secure, biometric, and risk-based authentication methods.
In June 2025, the Central Bank of the United Arab Emirates (CBUAE) issued a decisive regulatory directive that will reshape the way banks and fintech companies manage customer authentication. The mandate requires all financial institutions in the UAE to phase out weak forms of two-factor authentication — specifically, SMS and email one-time passwords (OTPs) — by March 2026. These outdated methods must be replaced with secure multi-factor authentication that leverages biometrics and app-based authentication, is built on strong cryptographic foundations, and is ideally designed with future threats in mind—including the need for post-quantum readiness.
This regulation is a direct response to a sharp rise in financial scams. According to the Global Anti-Scam Alliance’s report, in 2023 alone, over 40,000 fraud victims in the UAE lost an average of $2,194 each, amounting to approximately $87 million in total losses. The surge in fraud has pushed regulators to demand stronger, more resilient digital identity systems across the banking sector.
The CBUAE is now requiring all banks and fintechs to adopt risk-based, multi-factor authentication (MFA) solutions — especially those that leverage facial biometrics, soft tokens, Emirates ID integration, and UAE Pass.
This move follows a broader global shift away from SMS OTP authentication toward phishing-resistant, biometric, and app-based authentication methods designed to reduce fraud and strengthen digital identity security.
Why SMS OTPs Are No Longer Fit for Purpose
Although SMS OTPs have historically been a convenient stopgap for second-factor authentication, they now pose more risks than benefits. From a technical perspective, SMS messages are transmitted through outdated and inherently insecure telecommunications infrastructure. They’re susceptible to interception, SIM-swapping attacks, and exploitation of SS7 protocol vulnerabilities. These risks have been well-documented and are regularly exploited by cybercriminals around the world.
Beyond the technical vulnerabilities, SMS OTPs also carry operational downsides. Banks must pay per-message fees to telecom providers, making the method not only insecure but also expensive at scale. Meanwhile, the user experience is clunky: copying codes from SMS to an app invites typos and delays, especially during high-stakes transactions. From a regulatory standpoint, SMS OTPs also fail to meet the expectations of modern compliance frameworks, which increasingly require cryptographic security, dynamic fraud monitoring, and biometric verification.
With all these weaknesses, it’s no surprise that CBUAE has moved to eliminate SMS OTPs altogether, pushing the sector toward solutions that are both secure and user-centric. Countries like Singapore and Malaysia have already outlawed SMS OTPs in banking due to the rising threat of fraud and identity theft. The UAE, a regional leader in digital transformation, is now signaling to its financial ecosystem that the bar for customer protection is rising—and institutions must act quickly to stay compliant.
How Wultra Helps UAE Institutions Replace SMS OTPs — Securely and Quickly
At Wultra, we help banks and fintechs transition from outdated, high-risk authentication methods to modern, fully compliant solutions that are quantum-resistant and easy to use. We’ve already supported institutions across Europe, Asia, and the MENA region in moving away from SMS OTPs, and we’re uniquely positioned to help UAE financial organizations comply with the latest CBUAE authentication requirements.
Our Mobile-First Authentication platform allows institutions to replace SMS OTPs with secure, cryptographically protected login and transaction approval mechanisms. This process is not only vastly more secure than SMS, but it’s also significantly faster and more convenient for end users. Wultra offers post-quantum authentication capabilities that remain relatively rare across the market, helping protect your business not only against today’s threats, but also against future quantum-scale attacks.
To meet the biometric authentication component of the regulation, Wultra provides advanced facial recognition technology that’s seamlessly integrated into mobile banking apps. Our biometric solution is passive and intuitive — users simply look at their device, and the system verifies their identity using AI-powered facial matching. It’s resistant to spoofing, privacy-preserving, and designed to comply with regulations that demand both strong and user-friendly security.
Security, however, doesn’t end at authentication. The CBUAE directive also highlights the need for real-time fraud detection and response. That’s where Wultra’s In-App Protection comes in. Our tools allow apps to detect rooted or jailbroken devices, code tampering, remote desktop applications, and many other indicators. If suspicious behavior is detected, the application can respond in real time — by terminating itself, displaying warnings, or restricting functionalities. It can also send data into the bank’s Fraud Detection System (FDS) or SIEM.
Our solutions are compatible with national identity systems and can be tailored to work alongside Emirates ID and UAE Pass to meet both regulatory and user expectations.
A Realistic Path to Compliance
Implementing these changes may seem complex, but the timeline is manageable — with the right partner. Wultra’s modular architecture and ready-to-integrate SDKs allow banks to go live in just weeks, not months. Our team provides end-to-end support: from audit and planning to deployment, testing, and continuous improvement.
We’ve helped institutions completely phase out SMS OTPs in less than two months, ensuring no disruption to customer experience while delivering tangible improvements in both security and operational efficiency.
Building Trust and Security Beyond the Deadline
This regulation is more than just a compliance checkbox; it’s a strategic opportunity. By moving away from SMS OTPs, UAE banks and fintechs can significantly reduce fraud risk, lower operational costs, and deliver a smoother, faster digital experience for their users. In a highly competitive financial market, that kind of improvement can translate into stronger customer retention and brand loyalty.
With the March 2026 deadline now in effect, banks and fintechs in the UAE must ensure their authentication infrastructure complies with the latest CBUAE requirements. At Wultra, we’re ready to help organizations modernize their authentication infrastructure with proven solutions that meet regulatory standards and exceed user expectations.
Looking for a convenient authentication?
Amal Nazar
Frequently asked questions
What is the UAE regulation on SMS OTPs?
The Central Bank of the UAE (CBUAE) now requires banks and fintech companies to phase out SMS and email-based OTP authentication and replace them with more secure authentication methods.
Why are SMS OTPs considered insecure?
SMS OTPs are vulnerable to SIM-swapping attacks, phishing, SS7 exploitation, and message interception, making them less secure than modern app-based and biometric authentication methods.
What authentication methods can replace SMS OTPs?
Banks can replace SMS OTPs with biometric authentication, mobile push authentication, soft tokens, passkeys, and app-based multi-factor authentication solutions.
What is risk-based authentication?
Risk-based authentication evaluates contextual signals such as device integrity, user behavior, and transaction risk to dynamically determine the appropriate level of authentication security.
Does Wultra support UAE Pass and Emirates ID integration?
Yes. Wultra’s authentication and identity solutions can be integrated alongside UAE Pass and Emirates ID to support secure and compliant digital banking experiences in the UAE.
.webp)
