From April 1, Digital Payments To Undergo ‘These’ Changes: RBI Mandates Two-Step Authentication For All Transactions
From April 1, Digital Payments To Undergo 'These' Changes: RBI Mandates Two-Step Authentication For All Transactions
New rules aim to curb rising digital fraud; OTP alone will no longer be sufficient for most transactions
Online payments in India are set to undergo a major security upgrade from April 1, 2026, as the Reserve Bank of India (RBI) introduces stricter authentication rules for digital transactions.
Under the new framework, all online payments must be verified using at least two independent authentication factors. This marks a shift from the earlier system where a single OTP (one-time password) was often sufficient to complete a transaction.
The updated rules require that at least one of these authentication factors be “dynamic”, meaning it is generated uniquely for each transaction and cannot be reused. This adds an extra layer of protection against fraud.
The two-factor authentication (2FA) can include a combination of password, PIN, biometric verification such as fingerprint or facial recognition, software tokens generated within banking apps, hardware tokens, or OTPs. However, OTP will now act as just one layer, not the sole security measure.
The move comes in response to the growing number of sophisticated digital frauds. Scams such as SIM swapping, phishing attacks, and malware-based theft have increasingly targeted OTP-based systems, making them vulnerable.
A key feature of the new system is “dynamic authentication”. For example, a transaction may require a PIN along with a biometric scan, or a password combined with a one-time token. Even if one layer is compromised, the second layer will block unauthorised access.
In a significant step for consumer protection, the RBI has also clarified that banks will be held accountable in cases where fraud occurs due to failure in implementing these security measures. This means customers may be compensated if lapses are found on the institution’s part.
To balance security with convenience, the framework introduces risk-based authentication. Smaller, routine transactions may require simpler verification, while high-value or unusual transactions—such as those made from a new location or at odd hours—will trigger stricter checks.
The changes are expected to slightly increase the time taken to complete transactions but will significantly improve safety across India’s rapidly growing digital payments ecosystem.
Further tightening is also planned, with stricter authentication rules for international transactions set to come into effect from October 1, 2026.
Overall, the new rules signal a shift towards stronger, technology-driven security while maintaining flexibility for banks and fintech companies to adopt advanced solutions.
