Starting April 1, 2026, all digital payment transactions in India will require two-factor authentication (2FA), as per the Reserve Bank of India's 2025 directions.
The rule applies to all entities in the payment ecosystem, including banks and non-bank players.
The move is aimed at implementing alternative authentication methods and making a transition from the usual one-time password (OTP)-based authentication to strengthen the payment ecosystem.
New payment authentication methods
The RBI's notification dated September 25, 2025, defined the factor of authentication as the customer's credentials, which can be used for authentication. It added that the factors of authentication can be from "something the user has", "something the user knows" or "something the user is".
Further, it listed down new payment authentication methods, including password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based).
What changes for users with two-factor authentication in place from April 1, 2026
Going forth while undertaking digital transactions, users may see a combination of OTP and other device-specific authentication or something similar. Furthermore, the RBI has mandated that of the two factors of authentication, one needs to be dynamically created or proven, meaning proof of possession of the factor- sent as part of the transaction shall be unique to that transaction.
The overall mechanism of authentication has to be robust such that any compromise of one factor does not affect the reliability of the other.
Besides, the issuer will be responsible for ensuring the robustness as well as the integrity of the authentication method. And in case any loss arises due to non-compliance on the part of the issuer, the issuer will compensate the user in full.
For cross-border digital transactions, the issuers will put in place a robust risk-based mechanism by October 1, 2026.
For all personal finance updates, visit here