Banks in the UAE may shift authentication methods for users, introducing seven novel strategies to combat fraud and abandon one-time passwords (OTPs).

Banks in the UAE may shift authentication methods for users, introducing seven novel strategies to combat fraud and abandon one-time passwords (OTPs).

In the United Arab Emirates (UAE), banks are adopting cutting-edge authentication technologies to secure transactions and improve customer experiences. This transition is driven by the UAE Central Bank’s directive to phase out SMS and email one-time passwords (OTPs) by March 31, 2026, due to their vulnerability to phishing, SIM swapping, and SS7 protocol attacks.

These advanced methods include biometric authentication (facial recognition, fingerprint scanning, voice biometrics), Emirates Face Recognition, mobile app-based soft tokens, behavioural biometrics, and hardware security keys.

Biometric authentication uses unique physical traits (face, fingerprint, voice) that are hard to replicate or steal, enhancing accuracy and user convenience compared to traditional OTPs. Emirates Face Recognition leverages the UAE’s national digital ID, enabling trusted, government-backed identity verification that reduces identity fraud. Mobile app-based soft tokens generate cryptographic codes within secure banking apps, protecting against interception attacks common with SMS or email OTPs. Behavioural biometrics monitor user behavior (e.g., typing patterns, device usage habits) to detect anomalies that may indicate fraud, adding an invisible security layer without inconveniencing customers. Hardware security keys serve as physical cryptographic tokens for users with high-risk or high-value accounts, providing a strong, phishing-resistant factor of authentication.

By integrating these technologies, UAE banks enhance security while improving the user experience through faster, seamless authentication. Some banks are now offering security key support for executive and VIP accounts to safeguard access to sensitive accounts. Hardware authenticators, such as YubiKeys, are being used by banks to provide an extra layer of security for high-value transactions, internal communications, and sensitive customer data.

Additionally, UAE banks are piloting Passkeys, a passwordless, biometric-integrated, and phishing-resistant authentication method. Built on the FIDO2 (Fast IDentity Online 2) standards, Passkeys aim to replace or augment OTPs, offering a more secure and user-friendly alternative.

This transition towards advanced authentication technologies is part of the UAE’s broader Financial Infrastructure Transformation Programme, which also includes introducing a digital dirham in late 2025. Banks like Emirates NBD, ADIB, and FAB have begun transitioning customers to these methods, aiming for full compliance by March 2026.

It is important to note that some residents in the UAE face up to Dh120,000 debt from credit card fraud due to lack of OTP and ID verification. The Central Bank of the UAE has taken steps to overhaul traditional authentication methods, spurred by modern hacking techniques.

Angel Tesorero, an Assistant Editor at a news organization, focuses on transport, labour migration, and environmental issues. UAE banks will gradually stop sending OTPs via SMS and email for digital transactions starting July 25, 2025. This move is expected to significantly reduce fraud risks and strengthen the UAE’s reputation as a global leader in digital finance, not only safeguarding customers but also attracting more businesses to the region.

References:

[1] Emirates NBD. (2022). Emirates NBD to phase out SMS OTPs by March 2026. Retrieved from https://www.emiratesnbd.com/news/press-releases/emirates-nbd-to-phase-out-sms-otps-by-march-2026

[2] The National. (2022). UAE banks to phase out SMS and email OTPs for digital transactions. Retrieved from https://www.thenationalnews.com/business/banking/uae-banks-to-phase-out-sms-and-email-otps-for-digital-transactions-1.1137846

[3] Zawya. (2022). UAE Central Bank directive to phase out SMS and email OTPs by March 2026. Retrieved from https://www.zawya.com/mena/en/press-releases/company-announcements/uae-central-bank-directive-to-phase-out-sms-and-email-otps-by-march-2026-nj3y7w7w

1. The UAE Central Bank's directive will phase out SMS and email one-time passwords (OTPs) in UAE banks by March 31, 2026, due to their vulnerability to cybersecurity threats.
2. As a result, banks in the UAE are adopting advanced authentication technologies like facial recognition, fingerprint scanning, and mobile app-based soft tokens to secure transactions.
3. Behavioural biometrics and hardware security keys are also being used to detect fraud and provide strong, phishing-resistant factors of authentication.
4. Some banks are offering security key support for high-risk accounts, while hardware authenticators like YubiKeys are being used for additional security in high-value transactions.
5. UAE banks are also piloting Passkeys, a secure and user-friendly alternative to OTPs, as part of the Financial Infrastructure Transformation Programme.
6. These changes are expected to reduce fraud risks, enhance the user experience, and even attract more businesses to the region, strengthening the UAE's reputation in digital finance.
7. However, some residents in the UAE are still at risk of credit card fraud due to lack of OTP and ID verification, highlighting the need for these changes in traditional authentication methods.

Read also: