New rule: UAE banks to stop sending OTPs via SMS and email starting July 25

Abu Dhabi: In a major shift aimed at strengthening digital banking security, banks in the UAE will begin phasing out one-time passwords (OTPs) sent via SMS and email, starting Friday, July 25.

Under new guidelines from the UAE Central Bank, all banks must transition customers to app-based authentication for both domestic and international financial transactions.

The move marks a significant shift from the long-standing reliance on SMS and email OTPs — methods increasingly targeted by cybercriminals through tactics such as SIM swapping and phishing.

Full phase-out by March 2026

The transition will be gradual, with a complete discontinuation of SMS and email OTPs mandated by March 2026. In their place, customers will authenticate transactions through secure technologies embedded within bank mobile apps.

“As per the directives issued by the UAE Central Bank, the practice of receiving OTPs via SMS or email will be phased out. Customers can now complete online transactions easily by selecting the ‘Authentication via App’ feature in their bank’s smart application,” a bank spokesperson said.

Part of UAE’s digital transformation

The move is part of the UAE’s wider strategy to modernise its financial infrastructure and boost trust in digital banking. While the change may take some getting used to for customers familiar with traditional OTPs, banks are urging users to update their apps and start using the new in-app authentication features.

For now, SMS and email OTPs will remain available to select customers during the transition period. But over the next 8 months, these methods will be phased out entirely — making way for more secure, app-based verification.