From 6 January 2026, major banks in the United Arab Emirates will stop sending one‑time passwords by SMS for online card payments and move customers to in‑app authentication methods. The Central Bank of the UAE has ordered the shift to reduce SMS‑related fraud and bring the country’s payment security in line with global best practice.
UAE ends SMS OTPs to curb SIM‑swap and interception fraud
SMS codes, once the default second-factor for digital payments, have become vulnerable to a range of sophisticated attacks. Regulators cited rising incidents of SIM‑swapping, phishing sites that harvest codes, and interception exploits that abuse legacy telecom protocols. Notice 2025/3057 issued by the Central Bank forbids SMS and email OTPs as standalone authentication for high‑risk transactions, prompting banks to adopt a closed‑loop, mobile‑first approach.
The change affects both online shoppers and businesses that process card payments. From early January, transactions that rely solely on SMS confirmation will be declined. Banks that have already updated their systems will replace incoming text codes with push notifications sent directly from the bank app.
How in‑app approvals work
The new workflow is designed to be faster and more secure. After a card payment is initiated, the merchant triggers a request that the bank relays to the customer’s official app. The notification opens the app and displays the merchant name and the amount for immediate review. The customer then confirms the payment using biometric authentication such as Face ID or a fingerprint, or by entering a bank‑issued Smart Pass PIN.
Because the approval occurs inside the bank’s application and on a device that has already been tied to the account, the process removes reliance on the public telephone network. That closed‑loop model substantially reduces the attack surface for fraudsters and eliminates the common problems faced by travellers who cannot receive SMS codes while roaming.
What customers must do now
Residents should act ahead of the deadline to avoid disruption. Steps include updating the bank’s mobile app, enabling push notifications and biometric login, and completing any in‑app authentication registration. Banks recommend customers verify their device settings to ensure notifications are allowed and that biometric features are configured.
Financial institutions generally advise completing setup well before 6 January. Regulators have allowed banks until March 2026 to finish the phase‑out, but many lenders are implementing the change early to reduce fraud exposure.
The move is part of a broader programme by the Central Bank to strengthen the UAE’s digital banking infrastructure. By replacing SMS OTPs with encrypted, in‑app approvals and biometric verification, authorities and banks aim to deliver a more secure and convenient payments experience for customers while lowering fraud losses.
Key Takeaways:
- UAE ends SMS OTPs for online transactions from 6 January 2026 to reduce fraud and strengthen banking security.
- The Central Bank of the UAE issued Notice 2025/3057, banning SMS and email OTPs as standalone methods.
- Banks will use in‑app approvals with push notifications and biometric verification for safer, faster payments.
