UAE Banks to End SMS OTPs by 2026, Shift to In-App Transaction Approvals

UAE banks are moving to a major overhaul of how customers approve digital transactions, with SMS and email one-time passwords (OTPs) set to be fully discontinued by March 2026. Under new guidelines issued by the UAE Central Bank, banks are required to transition customers to in-app banking authorisation, a system designed to improve security while simplifying the approval process.

The shift affects millions of residents who regularly use mobile banking for payments, transfers, and online purchases. While SMS OTPs have long been the standard, regulators say the method no longer offers adequate protection against increasingly sophisticated cybercrime.

How in-app banking authorisation works

In-app authorisation allows customers to approve or decline transactions directly within their bank’s official mobile application, eliminating the need to receive or manually enter verification codes.

Typically, the process involves:

• Initiating a transaction via the bank’s app or website

• Receiving a push notification from the bank’s mobile app

• Reviewing transaction details such as amount and recipient

• Confirming identity using biometrics or a secure PIN

• Approving or rejecting the transaction instantly

Because the entire process occurs inside a secured app environment, banks say it significantly reduces the risk of unauthorised access.

Why SMS OTPs are being phased out

According to banking and cybersecurity experts, SMS-based authentication has become increasingly vulnerable to fraud. Phishing scams, fake websites, and SIM-swap attacks have made it easier for criminals to intercept OTPs and access accounts.

In-app authorisation addresses these weaknesses by:

• Preventing OTP interception through phishing attempts

• Eliminating reliance on SIM cards, reducing SIM-swap fraud

• Adding multiple security layers such as biometrics and device verification

• Giving customers full visibility of transaction details before approval

Regulators say these safeguards offer stronger protection than SMS or email-based verification ever could.

A more convenient experience for customers

Beyond security, banks say the new system improves usability. Customers no longer need to wait for text messages or switch between apps, a common frustration when travelling or experiencing poor network coverage.

Approvals are faster, more intuitive, and fully integrated into the mobile banking experience. For frequent digital banking users, this change is expected to make everyday transactions smoother and more reliable.

When the change takes effect

UAE banks began gradually phasing out SMS and email OTPs from July 25, 2025. During the transition period, some customers may still receive OTPs for certain transactions. However, by March 2026, app-based authentication will become mandatory for both domestic and international transactions.

Major banks including Emirates NBD, Mashreq, ADCB, and First Abu Dhabi Bank have already rolled out in-app authentication features under names such as “Smart OTP” or “App-based Approval.”

What customers should do now

Customers are encouraged to:

• Update their bank’s mobile app to the latest version

• Enable biometric login features

• Activate app-based authorisation through security settings

Banks have also published guides and customer support resources to help users complete the transition.

A shift in how banking security works

Regulators say the move reflects a broader effort to modernise the UAE’s financial infrastructure and reduce digital fraud. While the change may require a short adjustment period for some users, authorities believe it marks a significant step forward in securing online banking.

As SMS OTPs become a thing of the past, in-app authentication is set to become the new standard for safer, faster digital banking across the UAE.