By the end of 2025, banks across the UAE will phase out one-time passwords (OTPs) sent via SMS or email, replacing them with secure in-app authentication methods. The move, directed by the Central Bank, is part of the country’s ongoing efforts to strengthen digital banking security and protect customers from cyber fraud while offering faster, more convenient online transactions.
Dubai, UAE: In a major digital security overhaul, banks across the UAE are set to eliminate the use of one-time passwords (OTPs) delivered via SMS or email by the end of 2025, shifting to in-app authentication methods for online transactions. This change is being driven by a directive from the Central Bank and is already underway in many financial institutions.
Table of contents [Show]
OTPs sent through SMS or email have been a longstanding method of verifying online banking activities. However, they are increasingly viewed as vulnerable to a range of cyber threats such as SIM-swap attacks, phishing schemes, and interception of messages. In contrast, in-app authentication—often paired with biometrics, device verification, and secure push notifications—offers stronger protection by operating within the bank’s own trusted environment.
Banks that together serve over 90 percent of UAE customers have already completed the transition. The remaining institutions are expected to phase out SMS/email OTPs by the end of next year.
Under the new system, customers will confirm transactions via their bank’s mobile app—by swiping, scanning, or using biometric unlock—rather than entering a code sent via text or email.
Customers who prefer to keep using OTPs can request that option in writing, though banks will issue disclaimers that continued use may increase their exposure to fraud.
The shift is framed as faster, safer, and more convenient. Banks have begun sending notices to customers explaining the transition and guiding them to enable app-based authentication. According to banking experts, over 90 percent of users already prefer mobile app transactions, making this a timely alignment with user behavior.
During the changeover, SMS/email OTPs may still be temporarily available for customers who have not yet enrolled in app verification, though finally that option will be discontinued entirely.
For customers who do not wish to or cannot use mobile apps, banks may allow limited, written-request exceptions—but such customers will likely bear increased risk for fraud claims under those legacy methods.
Customers should download or update their bank’s mobile app, register their devices, and enable in-app authentication modes (such as biometric login or device binding).
Instead of receiving a code, customers will now receive a push notification inside the app containing transaction details. They can review and approve or decline directly within the app.
In the early stages, banks may temporarily retain SMS/email OTP fallback options for users not yet set up in the app. But as the phase-out progresses, that fallback will disappear.
Banks will likely disclaim liability for fraud on legacy OTP methods once those are deprecated. That means customers using outdated OTPs may have weaker protection in a dispute.
Some customers—especially older users or those less familiar with mobile apps—may need assistance. Banks will need to provide support, tutorials, and customer service to ease the transition.
Banking analysts view the shift as a necessary step to modernize UAE’s financial security infrastructure. In-app authentication not only reduces exposure to common fraud vectors, but also enhances user convenience by eliminating delays or reliance on telecom networks.
Awatif Al Harmoody, a banking expert, commented that while a minority may resist, the transition will accelerate as the new method becomes standard and more people adopt it.
Some industry observers caution that the transition needs to be smooth to avoid friction or customer resistance. Clear communication, training, and support are crucial, particularly for vulnerable customer segments.
The UAE is not alone in this move. Many countries and banking systems globally are shifting away from SMS/email OTPs to in-app, token, or biometric authentication due to growing security concerns. The UAE’s approach may set a regional benchmark for robust digital banking security, especially given its rapid adoption across major banks.
The change also aligns with the country’s broader push for digital transformation, cybersecurity resilience, and trust in its financial and digital services ecosystem.
By the end of 2025, the UAE banking sector is expected to operate primarily with app-based authentication, marking the sunset of SMS/email OTPs. The transition will reshape how transactions are validated, how customers interact with banking apps, and how fraud prevention is structured.
As the deadline approaches, customers should proactively prepare—updating apps, enrolling devices, and understanding the new approval workflows. Banks will need to manage the change carefully to ensure a seamless experience. Ultimately, the move is intended to strengthen security, improve user experience, and align UAE’s banking systems with global best practices in digital identity and transaction protection.
