UAE Banks Scrap SMS OTPs in Online Payment Upgrade

The United Arab Emirates is entering a new phase of digital banking security as major banks move away from SMS-based one-time passwords (OTPs) for online card payments. From January 6, 2026, customers will no longer receive verification codes by text message or email when making online card transactions. Instead, banks will require users to approve payments directly through their mobile banking applications.

This shift marks a significant upgrade in how online payments are authenticated across the UAE’s financial system. More importantly, it reflects the country’s broader push to strengthen cybersecurity, reduce digital fraud and modernise its fast-growing cashless economy.

By replacing SMS OTPs with in-app authentication, banks aim to close security gaps that criminals increasingly exploit. As a result, customers can expect safer, faster and more reliable payment approvals.

A Major Change in How Online Payments Are Verified

Until now, SMS and email OTPs were a standard security layer for online card payments in the UAE. Customers would enter a short numeric code sent to their phone or email to confirm a transaction. This method was widely used for years and helped reduce unauthorised card use.

However, over time, cybercriminals developed ways to exploit these systems. Consequently, OTPs sent through external channels became less reliable as a standalone security measure.

From January 6, UAE banks will fully stop using SMS OTPs for online card payments. Instead, all payment confirmations will take place within official banking apps. Customers must approve transactions using secure app-based tools such as biometrics, push notifications or personal PINs.

This change applies to most online card purchases, including e-commerce platforms and digital subscriptions.

Why UAE Banks Are Ending SMS OTPs

The move away from SMS OTPs is driven by rising cybersecurity risks. In particular, fraud linked to SMS interception has increased worldwide. Criminals often target OTPs through methods such as:

• SIM-swap fraud, where phone numbers are hijacked

• Phishing attacks that trick users into sharing codes

• Malware that reads SMS messages silently

• Network vulnerabilities that expose messages

Because SMS relies on telecom networks outside the bank’s control, it is harder to secure fully. As a result, global regulators now consider SMS OTPs less resilient against modern cyber threats.

In contrast, in-app authentication keeps the entire approval process within a secure banking environment. Therefore, banks can apply stronger encryption, device binding and behavioural monitoring.

Regulatory Push Behind the Transition

The transition is not happening in isolation. It is part of a wider regulatory strategy led by the Central Bank of the UAE (CBUAE).

The CBUAE has instructed banks to adopt stronger, phishing-resistant authentication methods. These measures are designed to protect customers and enhance trust in digital payments. Under these guidelines, UAE banks must fully phase out SMS and email OTPs by March 31, 2026.

However, many banks chose to accelerate the process. As a result, online card payments are among the first services to switch entirely to in-app approvals starting January 6.

Banks began notifying customers in late December 2025. These messages urged users to activate mobile app authentication features before the change takes effect.

How In-App Authentication Works

The new approval process is designed to be simple, secure and fast. Instead of entering a code from an SMS, customers will now follow a few clear steps.

First, the customer initiates an online card payment on a website or app. Next, the bank sends a push notification to the customer’s registered mobile banking app.

Then, the customer opens the app to review the transaction details. These details typically include the merchant name, amount and currency. Finally, the customer approves the payment using biometric verification, such as fingerprint or facial recognition, or a secure PIN.

Because the approval happens inside the app, the bank can confirm both the user’s identity and the registered device. This significantly reduces the risk of fraud.

Benefits of App-Based Payment Approval

The move to in-app authentication offers several important benefits for customers and banks alike.

Stronger Security

In-app approvals are tied to a specific device and user profile. Therefore, even if a phone number is compromised, transactions remain protected. Biometric checks further strengthen security.

Faster Transactions

Customers no longer need to wait for an SMS. Instead, approvals happen instantly through push notifications. This reduces delays during checkout.

Reduced Risk of Fraud

Because OTPs are no longer transmitted over vulnerable channels, criminals have fewer opportunities to intercept credentials.

Better User Control

Customers can see transaction details clearly before approving. As a result, suspicious payments are easier to spot and reject.

Together, these benefits align with global trends in digital banking security.

Which Banks Are Implementing the Change

Several major UAE banks have already rolled out or expanded in-app authentication systems. These include Emirates NBD, First Abu Dhabi Bank, Mashreq, and Abu Dhabi Islamic Bank.

Each bank uses its own mobile application interface. However, the underlying approval concept remains the same. Customers must use the official app to confirm card payments.

Banks have advised users to ensure their apps are updated and notifications are enabled to avoid transaction failures.

What Customers Need to Do Before January 6

To ensure uninterrupted online payments, customers should prepare in advance. The steps are simple but essential.

First, download or update the bank’s official mobile app. Outdated versions may not support the new approval features.

Second, enable push notifications. Without notifications, customers may miss approval requests.

Third, activate biometric login or set a secure app PIN. This step ensures quick and secure approvals.

Fourth, register the primary mobile device within the app. Some banks require device verification.

Finally, test the approval process by making a small online purchase before January 6.

Customers who do not complete these steps may face declined transactions once SMS OTPs are disabled.

Impact on Customers Without Smartphones

One concern raised by customers is access. Not everyone actively uses mobile banking apps. However, banks have clarified that app-based authentication is becoming the default requirement.

Customers without compatible smartphones may need to contact their bank directly. In some cases, alternative arrangements may be offered. However, banks strongly encourage digital onboarding.

This approach supports the UAE’s wider push toward digital-first financial services.

How This Fits Into Global Banking Trends

Globally, banks are moving away from SMS OTPs. Regions such as the European Union and the United States have already encouraged stronger authentication under frameworks like Strong Customer Authentication (SCA).

Biometric approvals, device-based authentication and secure apps are now considered best practice. Therefore, the UAE’s transition keeps its financial sector aligned with international standards.

Importantly, this also protects the country’s rapidly expanding digital payments ecosystem, including e-commerce, fintech platforms and mobile wallets.

Reducing Fraud in a Growing Digital Economy

The UAE has seen rapid growth in online shopping, contactless payments and digital banking. While this growth brings convenience, it also attracts cybercriminals.

By tightening authentication controls, banks aim to reduce fraud losses and protect consumer confidence. Lower fraud rates benefit both customers and financial institutions.

Moreover, stronger security helps maintain trust in the UAE’s financial system, which is critical for economic growth and international investment.

Communication and Customer Awareness

Banks have made customer awareness a priority. Notifications, emails and in-app messages explain the change and outline setup steps.

Nevertheless, some customers may still be unaware. Therefore, banks are expected to continue outreach efforts in early 2026.

Clear communication is essential to avoid confusion during the transition period.

Looking Ahead to March 2026

While January 6 marks a major milestone, the transition will continue. By March 31, 2026, all remaining SMS and email OTPs across banking services are expected to be phased out.

This includes other transaction types beyond online card payments. As a result, in-app authentication will become the standard for most digital banking activities.

Banks will likely expand features such as behavioural analytics and AI-driven fraud detection alongside app-based approvals.

Conclusion

The decision by UAE banks to end SMS OTPs for online card payments from January 6, 2026 represents a major upgrade in digital banking security. By shifting authentication into secure mobile apps, banks are addressing modern fraud risks while improving user experience.

For customers, the change brings stronger protection, faster approvals and better visibility into transactions. However, preparation is essential. Updating apps and enabling authentication features will ensure smooth online payments.

As the UAE continues its digital transformation, this move reinforces the country’s position as a regional leader in secure, future-ready financial services.