Why UAE banks are replacing SMS and email OTPs with app authentication

Dubai: From Friday, July 25, banks in the UAE will begin gradually phasing out one-time passwords (OTPs) sent via SMS and email, in line with new guidelines issued by the UAE Central Bank.

The shift will not happen overnight. Banks have until March 2026 to fully discontinue SMS and email OTPs for both domestic and international financial transactions, and must transition customers to more secure, app-based authentication methods.

“This update makes sense. App-based approvals are safer than SMS, and it’s the direction banking needs to go. Of course, scammers will keep trying new ways. So just stay smart: don’t approve anything unless you’re the one who triggered it, and reach out to your bank if something feels suspicious,” said UAE-based financial coach Jay Adrian Tolentino.

Financial content creator Kartik Iyer said the change was overdue, adding that most scams happen not due to carelessness but because “scams are getting smarter.”

“Even the sharpest minds can fall for it. In a rush, in a moment of stress, we slip and that one OTP can cost you thousands. The new move by banks to shift OTPs inside the app instead of relying on SMS, WhatsApp, or email is brilliant,” he said.

Many central banks and financial institutions globally have already adopted or are in the process of moving to app-based or biometric authentication.

“Why should someone have to go to a third-party app to access something as sensitive as an OTP? Keep it in-app. Keep it secure. This is a small change that will prevent countless scams,” Iyer said.

“The traditional authentication methods of SMS and email OTPs are susceptible to interception and fraud. Attackers can hijack mobile numbers through SIM swapping or trick users via phishing to obtain OTPs, making it easy to bypass these security measures,” Carol Glynn, finance coach and chartered accountant, said.

Financial institutions globally, including those in the UAE, face escalating cyber threats and financial fraud. SMS OTP-related fraud alone caused an estimated $6.7 billion in losses in 2021 alone, according to the US-based Communications Fraud Control Association (CFCA).

While SMS and email one-time passwords (OTPs) are widely used Glynn broke down why they come with several security risks:

According to Glynn, in-app push notifications and biometric authentication are safer alternatives because they eliminate dependence on the mobile network or email.

In-app verification requires customers to approve transactions directly within their bank’s official mobile app, often using fingerprints, facial recognition, or device-based authorisation.

“This approach reduces phishing risks, eliminates dependency on the telephone network or email, and adds layers like biometric scans, passcodes, or liveness detection for stronger security,” Glynn noted.

Besides stronger security, in-app approvals are also faster and more user-friendly, allowing one-tap confirmation and showing transaction details before authorisation. This removes delays caused by SMS delivery and improves the overall experience.

“Biometric authentication (fingerprint, facial recognition, etc.) leverages unique user physical traits, which are much harder to replicate or steal compared to OTPs. This adds strong security by verifying both device possession and user identity,” she said.

Glynn also cautioned that in-app authentication is not foolproof and fraud tactics continue to evolve.

“Push based MFA [multi-factor authentication] can carry the risk of MFA fatigue attacks where a hacker repeatedly triggers approval prompts until the user unwisely taps ‘Accept’,” she said.

For this reason, ongoing user awareness and robust app security remain essential.

She noted that the effectiveness will depend on how banks implement and maintain the new systems, how customers adapt to the change, and the continued vigilance required to counter evolving fraud tactics.