Countries phasing out SMS OTPs for online banking security

Dubai: As cyber threats grow more sophisticated, countries are moving away from SMS and email-based one-time passwords (OTPs) in favour of more secure, app-based and biometric authentication methods.

The UAE is the latest to announce such a shift, with banks set to stop sending OTPs via SMS and email starting July 25.

Here’s a look at which countries have already implemented or announced plans to end SMS OTPs, and what changes customers can expect.

In a major move to enhance digital banking security, banks in the UAE will begin phasing out OTPs sent via SMS and email starting Friday, July 25.

Under new UAE Central Bank guidelines, all financial institutions must shift to app-based authentication for both domestic and international transactions.

The reliance on SMS and email OTPs - methods increasingly vulnerable to phishing, SIM swapping, and other cyberattacks will gradually end by March 2026.

Customers are encouraged to use their bank’s mobile app and select the ‘Authentication via App’ feature to complete online transactions securely.

In 2024, the Monetary Authority of Singapore (MAS) announced that major retail banks would phase out one-time passwords for logging into bank accounts over the next three months for users who have activated secure digital tokens.

The MAS strongly urged all online banking users to enable digital tokens, noting that SMS OTPs are no longer required for customers using these secure alternatives.

SMS-based authentication had already been removed for tasks such as adding payees or changing transfer limits, and banks were barred from allowing users to opt out of these enhanced measures to maintain multi-layered security.

To combat rising online scams and fraud, Bank Negara Malaysia (BNM) in 2023 directed all banks to adopt stronger forms of authentication.

Malaysian banks are now required to use app-based verification methods. Customers must register and authenticate transactions using a single, nominated secure device, typically a smartphone with a banking app installed.

In May 2025, the Bangko Sentral ng Pilipinas (BSP) issued a circular instructing banks to limit or stop the use of SMS and email OTPs. Instead, banks must adopt stronger methods such as biometric authentication, device fingerprinting, or passwordless systems.

The deadline for full compliance is June 2026. The move follows increasing concerns over the security risks of SMS OTPs, including interception and social engineering attacks.

The Reserve Bank of India (RBI) announced plans to move away from OTP-based authentication in its February 2024 Statement on Development and Regulatory Policies.

Rather than eliminating additional authentication entirely, the RBI aims to implement a principle-based framework for digital payment verification, signalling a shift from the traditional OTP model.

Regulatory bodies in the U.S. are also moving to retire SMS-based verification:

Under the EU’s Second Payment Services Directive (PSD2), SMS OTPs are not outright banned but are heavily restricted due to security concerns.

In 2024, the EU Login system began phasing out SMS-based OTPs, with full implementation expected by mid-2025. The EU is transitioning towards more secure, app-based and biometric solutions.