On September 25, 2025, the Reserve Bank of India (RBI) published its final “Authentication Mechanisms for Digital Payment Transactions Directions, 2025”, introducing tighter requirements and clearer rules for how digital payments must be authorised. The new framework mandates two-factor authentication (2FA) for all domestic digital payments from April 1, 2026, unless specific provisions say otherwise.
Moreover, for international, non-recurring card-not-present (CNP) transactions, the RBI requires card issuers to implement additional authentication when requested by overseas merchants or acquirers, with a compliance deadline set for October 1, 2026.
Furthermore, the guidelines also introduce a risk-based approach: issuers may apply heightened checks beyond the two required factors depending on the fraud risk of individual transactions. This can include the use of DigiLocker as a platform for notification and confirmation for “high-risk transactions”. They do not immediately eliminate the use of SMS-based OTPs, but expect at least one authentication factor to be dynamic, so that one compromised factor does not compromise transaction security.
RBI Directions On Two-Factor Authentication
The RBI mandates that all digital payment transactions utilise at least two distinct factors for authentication. While the RBI hasn’t prescribed a specific factor, it requires that one of the chosen factors must be dynamic, meaning it is generated uniquely for each transaction. This ensures that even if one factor is compromised, the other remains reliable. At the same time, issuers may allow customers to select their preferred authentication factors, provided they comply with the framework.
In practical terms, the factors of authentication fall under three broad categories:
- “something the user knows”, such as a password, PIN, or passphrase
- “something the user has”, like a card, hardware token, software token, or SMS-based OTP
- “something the user is”, which refers to biometric credentials like device-native fingerprints, Face ID, or Aadhaar-based verification.
Furthermore, the central bank has emphasised that authentication mechanisms must be strong enough so that the compromise of one factor does not undermine the other. It has also directed payment system providers to make tokenisation or authentication services available on an open and interoperable basis across devices and platforms, ensuring that users experience consistency and safety regardless of the channel they use.
Exemptions From Authentication
RBI has carved out clear exemptions from the mandatory two-factor authentication requirement. For instance, small-value contactless card transactions can proceed without 2FA, reflecting the need for speed at point-of-sale counters. Similarly, recurring transactions, except the very first one under the e-mandate framework, do not require repeated authorisation, ensuring that subscriptions and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
