“Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions,” RBI said
Mumbai: The Reserve Bank on Thursday announced that new rules on digital payments, which allow for more ways to comply with the Two-Factor Authentication (2FA) beyond the SMS-based one-time password, will come into effect on April 1.
The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS-based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based), the central bank said.
India is among the markets in the world which insist on 2FA, and financial sector players have been relying on the SMS-based alerts to execute transactions.
The RBI launched the (Authentication mechanisms for digital payment transactions) Directions, 2025, making it clear that 2FA will continue to be mandatory and SMS OTP can also be used.
The central bank had first announced the move in February 2024 to enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms.
The new rules specify that at least one of the factors of authentication is dynamically created or proven, wherein the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.
Additionally, the system should also be robust, wherein compromise of one factor does not affect reliability of the other.
Apart from this, the RBI said that from a risk management perspective, the financial system stakeholders can also identify transactions for evaluation against behavioural /contextual parameters such as transaction location, user behaviour patterns, device attributes, historical transaction profile, etc.
“Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions,” it said.
If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur, the central bank said.
It also asks card issuers to put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer from October 1, 2026.