Abu Dhabi — Starting Friday, July 25, banks across the UAE will begin shifting from traditional SMS and email-based one-time passwords (OTPs) to app-based authentication, in line with a new directive issued by the UAE Central Bank.
The regulation applies to all electronic and financial transactions, both domestic and international, and aims to strengthen cybersecurity across the banking sector. The transition marks a key step in the country’s broader financial digital transformation.
Banks have been instructed to gradually phase out SMS and email OTPs, with a complete cutoff mandated by March 2026.
“Customers can now complete online transactions securely by using the ‘Authentication via App’ feature available on their bank’s official mobile applications,” said a spokesperson from a UAE-based retail bank. “This update aligns with the UAE’s commitment to preventing digital fraud and enhancing user privacy.”
A Shift Driven by Security Risks
The UAE’s decision comes amid rising concerns over SIM-swapping, phishing, and email spoofing, which have compromised OTP security globally. By requiring risk-based, in-app verification, banks aim to minimize vulnerabilities tied to third-party communication platforms.
The Central Bank’s guidelines urge banks to invest in real-time app-based security protocols and ensure customers are notified in advance about the new processes.
Customer Preparedness and Transition Period
Although the full phase-out will not occur until March 2026, banks are encouraging users to download or update their mobile apps immediately and begin using the new verification feature.
For now, some customers, particularly those with limited app access, may still receive OTPs through SMS or email. However, these channels will be retired in stages over the next 20 months, as part of a nationwide digital readiness strategy.
The shift is expected to affect millions of users across retail, business, and mobile banking sectors.
