Bengaluru, 30th September 2025: The Reserve Bank of India (RBI) has rolled out new rules to strengthen authentication in digital transactions, making two-factor authentication (2FA) compulsory for all domestic payments starting April 1, 2026.
The directions, issued under the Authentication Mechanisms for Digital Payment Transactions, 2025, require every payment to be verified through at least two distinct factors — knowledge (PIN, password), possession (device token), or inherence (biometric). For card-not-present and online transactions, one factor will need to be dynamic and unique to each transaction, a move aimed at curbing fraud.
Unlike earlier blanket rules, the central bank has allowed issuers to adopt a risk-based approach. This means additional checks such as biometrics or contextual verification can be triggered for high-value or high-risk payments, while smaller, low-risk transactions can remain seamless.
The guidelines also bring cross-border, card-not-present transactions under their ambit from October 1, 2026. While SMS OTPs will continue, they cannot be the only layer of authentication. Exemptions have been carved out for small-value contactless payments, recurring transactions, NETC/Fastag, and offline digital modes.
Issuers will be responsible to safeguard customer interests and compensate for losses in cases of non-compliance. The directions also call for alignment with the Digital Personal Data Protection Act, 2023.
Commenting on the move, Martin P. S., Chief Operating Officer, Ujjivan Small Finance Bank Ltd said, “Securing today, empowering tomorrow — The Reserve Bank of India’s 2025 guidelines on authentication for digital payments mark a key step in strengthening trust and safety in India’s payment ecosystem. By mandating robust and dynamic two-factor authentication, while enabling adoption of advanced technologies, these directions will empower customers and reduce operational risk for banks.”
