The Central Bank of the UAE has issued a new directive requiring all financial institutions to eliminate SMS and email-based one-time passwords (OTPs) by March 2026. With fraud on the rise and only a handful of banks fully compliant, the race is on to adopt secure, biometric, and risk-based authentication methods.
In June 2025, the Central Bank of the United Arab Emirates (CBUAE) issued a decisive regulatory directive that will reshape the way banks and fintech companies manage customer authentication. The mandate requires all financial institutions in the UAE to phase out weak forms of two-factor authentication—specifically, SMS and email one-time passwords (OTPs)—by March 2026. These outdated methods must be replaced with secure multi-factor authentication that leverages biometrics and app-based authentication, is built on strong cryptographic foundations, and is ideally designed with future threats in mind—including the need for post-quantum readiness.
This regulation is a direct response to a sharp rise in financial scams. According to the Global Anti-Scam Alliance’s report, in 2023 alone, over 40,000 fraud victims in the UAE lost an average of $2,194 each, amounting to approximately $87 million in total losses. The surge in fraud has pushed regulators to demand stronger, more resilient digital identity systems across the banking sector.
The CBUAE is now requiring all banks and fintechs to adopt risk-based, multi-factor authentication (MFA) solutions—especially those that leverage facial biometrics, soft tokens, Emirates ID integration, and UAE Pass.
This move follows a broader global shift toward stronger digital identity security.
Why SMS OTPs Are No Longer Fit for Purpose
Although SMS OTPs have historically been a convenient stopgap for second-factor authentication, they now pose more risks than benefits. Technically speaking, SMS is transmitted through an outdated and insecure telecommunications infrastructure. It’s susceptible to interception, SIM-swapping attacks, and exploitation of SS7 protocol vulnerabilities. These risks have been well-documented and are regularly exploited by cybercriminals around the world.
Beyond the technical vulnerabilities, SMS OTPs also carry operational downsides. Banks must pay per-message fees to telecom providers, making the method not only insecure but also expensive at scale. Meanwhile, the user experience is clunky: copying codes from SMS to an app invites typos and delays, especially during high-stakes transactions. From a regulatory standpoint, SMS OTPs also fail to meet the expectations of modern compliance frameworks, which increasingly require cryptographic security, dynamic fraud monitoring, and biometric verification.
With all these weaknesses, it’s no surprise that CBUAE has moved to eliminate SMS OTPs altogether, pushing the sector toward solutions that are both secure and user-centric. Countries like Singapore and Malaysia have already outlawed SMS OTPs in banking due to the rising threat of fraud and identity theft. The UAE, a regional leader in digital transformation, is now signaling to its financial ecosystem that the bar for customer protection is rising—and institutions must act quickly to stay compliant.
How Wultra Helps UAE Institutions Replace SMS OTP—Securely and Quickly
At Wultra, we help banks and fintechs transition from outdated, high-risk authentication methods to modern, fully compliant solutions, quantum-resistant and easy to use. We’ve already supported institutions across Europe, Asia, and the MENA region in moving away from SMS OTPs, and we’re uniquely positioned to help UAE financial organizations meet the 2026 deadline.
Our Mobile-First Authentication platform allows institutions to replace SMS OTPs with secure, cryptographically protected login and transaction approval mechanisms. This process is not only vastly more secure than SMS, but it’s also significantly faster and more convenient for end users. Wultra offers post-quantum authentication that’s still rare in the market, designed to protect your business not just today, but against tomorrow’s quantum-scale threats.
To meet the biometric authentication component of the regulation, Wultra provides advanced facial recognition technology that’s seamlessly integrated into mobile banking apps. Our biometric solution is passive and intuitive—users simply look at their device, and the system verifies their identity using AI-powered facial matching. It’s resistant to spoofing, privacy-preserving, and designed to comply with regulations that demand both strong and user-friendly security.
Security, however, doesn’t end at authentication. The CBUAE directive also highlights the need for real-time fraud detection and response. That’s where Wultra’s In-App Protection comes in. Our tools allow apps to detect rooted or jailbroken devices, code tampering, remote desktop applications, and many other indicators. If suspicious behavior is detected, the application can respond in real time—by terminating itself, displaying warnings, or restricting functionalities. It can also send data into the bank’s Fraud Detection System(FDS) or SIAM.
Our solutions are compatible with national identity systems and can be tailored to work alongside Emirates ID and UAE Pass to meet both regulatory and user expectations.
A Realistic Path to Compliance
Implementing these changes may seem complex, but the timeline is manageable—with the right partner. Wultra’s modular architecture and ready-to-integrate SDKs allow banks to go live in just weeks, not months. Our team provides end-to-end support: from audit and planning to deployment, testing, and continuous improvement.
We’ve helped institutions completely phase out SMS OTPs in less than two months, ensuring no disruption to customer experience while delivering tangible improvements in both security and operational efficiency.
Building Trust and Security Beyond the Deadline
This regulation is more than a compliance checkbox; it’s a strategic opportunity. By moving away from SMS OTPs, UAE banks and fintechs can significantly reduce fraud risk, lower operational costs, and deliver a smoother, faster digital experience for their users. In a highly competitive financial market, that kind of improvement can translate into stronger customer retention and brand loyalty.
The March 2026 deadline is fast approaching, but with the right technology partner, banks and fintechs in the UAE can be fully compliant—and even ahead of the curve—well before then. At Wultra, we’re ready to help you modernize your authentication infrastructure with proven solutions that meet regulatory standards and exceed user expectations.
Get in touch with our team today to book a consultation.
.webp)
