Starting 1 April, the Reserve Bank of India (RBI) will require all digital payments to be authenticated using at least two independent factors, tightening security across cards, UPI and wallets. This means a single factor, such as a PIN or an OTP, will no longer suffice.
The move comes as digital frauds surge and aims to plug gaps in systems that rely on a single layer of verification. Will this help curb digital frauds? Mint explains.
What changes under RBI’s two-factor authentication (2FA) rule?
From 1 April, all digital transactions must be verified using at least two independent authentication factors—such as a personal identification number (PIN), a one-time password (OTP) or biometric—with at least one factor being dynamic.
The requirement applies across payment modes, including cards, UPI and wallets, standardizing security protocols across platforms. The tighter framework is aimed at reducing vulnerabilities and strengthening safeguards in digital payments.
How is this different from current practice?
Many transactions today rely on a single authentication factor, typically a PIN or an OTP. The new rule mandates two distinct layers of verification, making it harder for fraudsters to complete transactions even if one credential is compromised. For example, even if someone has access to the OTP, the transaction cannot be completed without the second factor, such as a PIN or biometric check.
Previously, OTP-only authentication was sufficient in some cases. By requiring dual verification, RBI is seeking to close gaps exploited in phishing and SIM-swap frauds, where users are tricked into sharing credentials, thereby raising the bar for transaction security across India’s digital ecosystem.
Why is RBI tightening authentication now?
Bank frauds rose to ₹36,014 crore in FY25, a 194% increase in value from a year earlier, according to RBI data. The central bank is tightening authentication standards to curb unauthorized transactions and reinforce trust in digital payments as adoption scales.
The move aims to make the financial system more resilient while reducing risks associated with compromised credentials.
What steps are banks taking to curb fraud?
Banks are upgrading systems to support 2FA and adding additional safeguards at the app and device level. These include linking apps to a registered mobile number and SIM, detecting screen-sharing or potentially malicious applications, and flagging unusual transaction patterns in real time.
Some banks also allow users to restrict fund transfers during certain hours, say from 10pm to 7am. Lenders are also increasingly relying on enhanced monitoring and detection systems to identify suspicious activity in real time.
Will 2FA make transactions slower or less convenient?
While adding another authentication step may feel cumbersome, RBI has emphasized balancing security with user convenience. Banks are exploring methods such as biometric verification or device-based approvals that minimize friction. For instance, instead of typing multiple codes, a fingerprint or face scan could serve as the second factor. The goal is to ensure that security does not come at the cost of usability.
Over time, the process is expected to become more seamless, with the added security likely to outweigh minor delays and support wider adoption of digital payments.