UAE banks to end SMS OTPs for online card payments from January 6

Dubai: Several major banks operating in the UAE have begun notifying customers that they will stop sending one-time passwords (OTPs) via text message for online card purchases, as part of a shift towards app-based authentication, according to messages sent to customers this week.

In text alerts issued on December 31, 2025, banks with some of the largest customer bases in the country informed clients that, starting January 6 2026, OTPs will no longer be delivered by SMS for online card transactions. Instead, payments will be verified exclusively through the bank’s smart mobile application.

“From January 6, 2026, we will stop sending one-time passwords (OTPs) via SMS for online card purchases,” the banks said in the messages, copies of which were seen by local media. Customers were urged to download and activate their bank’s mobile app to approve payments securely.

The move, according to Emarat Al Youm, follows a transition that began earlier last year. In July 2025, banks in the UAE started gradually phasing out OTPs sent by text message or email for electronic transactions and money transfers, replacing them with in-app verification methods.

An official document issued at the time, citing instructions from the Central Bank of the UAE, said that OTPs would be progressively discontinued across SMS and email channels. Customers were instead encouraged to complete electronic transactions through their banks’ mobile applications using app-based authentication features.

By October 2025, several banks had fully completed the transition, relying solely on mobile apps to authorise and approve electronic payments. This typically involves customers confirming transactions through simple in-app actions, such as swiping or tapping to approve a payment.

Banking sources previously indicated that the full transition across the sector was expected to be completed by the end of 2025. While some institutions had planned to retain the SMS OTP option for customers who preferred not to use mobile applications, this would require a written request and would shift liability for potential fraud away from the bank.