From April 1, 2026, the Reserve Bank of India (RBI) has enforced new digital payment rules: OTP alone is no longer sufficient for UPI and online transactions. All payments now require mandatory two-factor authentication (2FA), adding an extra layer of security such as PINs, passwords, or biometrics.
What Has Changed
OTP alone won’t work anymore: SMS-based OTPs, which were the dominant form of authentication, must now be paired with another verification method.
Mandatory Two-Factor Authentication (2FA): Every UPI, card, or wallet transaction requires an additional step such as a PIN, password, fingerprint, or facial recognition.
Risk-based authentication: Banks will apply stricter checks for high-value or suspicious transactions, while smaller payments may use lighter verification.
Why RBI Introduced These Rules
Curbing fraud: OTP-only systems were increasingly vulnerable to phishing and SIM-swap scams.
Improving accountability: Banks are now responsible for ensuring secure authentication and resolving fraud complaints faster.
Safer digital ecosystem: With UPI and mobile wallets growing rapidly, RBI aims to strengthen trust in India’s digital payments infrastructure.
Impact on Users
For UPI apps (GPay, PhonePe, Paytm): Expect an extra verification step before completing transactions.
For card payments: Online shopping will require both OTP and an additional password or biometric check.
For wallets: Transfers will also need dual authentication.
For consumers: Transactions may take slightly longer, but security is significantly enhanced.
What You Should Do
Update your UPI apps to the latest versions to ensure compliance.
Enable biometric authentication (fingerprint/face ID) on your devices for smoother transactions.
Stay alert for phishing attempts—always verify official bank communications.
Check with your bank for specific changes in login or payment processes.
