RBI mandates 2FA for all digital payments: Here's what changes
Starting April 1, 2026, the Reserve Bank of India (RBI) will require everyone to use two-factor authentication (2FA) for all digital payments.
This big change comes as a response to the rise in phishing and SIM-related frauds.
Right now, most transactions rely on SMS OTPs, but RBI wants issuers and payment providers to move toward safer options like biometrics or tokenization.
What you need to know
Every transaction will need two different ways to confirm your identity—at least one must be unique to that specific payment.
If banks or payment providers don't follow these rules and something goes wrong, they'll have to compensate you for any fraud losses.
You'll also get some flexibility: you can pick how you want to authenticate—think passwords, hardware tokens, or even fingerprint scans.
By October 2026, extra checks will roll out for certain international payments too, for certain international online transactions.