From July 25, 2025, UAE banks will start phasing out OTPs sent via SMS and email. Learn which banks are affected, what replaces OTPs, why it’s happening, and how to stay secure with app and biometric authentication.
Big changes are coming to how UAE bank customers verify transactions online. Banks across the United Arab Emirates are beginning to phase out one-time passwords (OTPs) sent via SMS text messages or email, in favour of more secure app-based and biometric authentication methods.
Starting July 25, 2025, a new directive requires banks to gradually
. This move, mandated by the UAE Central Bank, aims to bolster digital banking security and enhance the customer experience as cyber fraud risks increase.
All major UAE banks are slated to comply with the OTP phase-out, but some have led the charge early. Emirates NBD, Abu Dhabi Islamic Bank (ADIB), and First Abu Dhabi Bank (FAB) are among the institutions that have already begun replacing SMS OTPs with in-app or biometric verification for most online banking transactions.
For example, ADIB notified customers via SMS that “SMS and email OTPs… will be phased out from July 25. Switch to ADIB mobile app for in-app authentication.”Even international banks operating in the UAE, like Citibank, have emailed customers that SMS OTP is no longer supported, urging users to approve online card payments through the bank’s mobile app instead .
This rollout is happening in phases rather than overnight. From July 25, 2025, banks will start gradually disabling OTP-by-text/email for new transactions and prompting customers to use their smartphone apps . By March 31, 2026, all UAE banks must completely discontinue OTPs sent via SMS or email . During the transition period (July 2025 – March 2026), some banks may temporarily allow OTPs for certain customers as a fallback , but the writing is on the wall: the one-time code by SMS will soon be a thing of the past.
Banks like Emirates NBD have been preparing for this for years – Emirates NBD introduced its “Smart Pass” in-app token back in 2020 to reduce reliance on SMS codes. Now, under the new Central Bank guidelines, all UAE banks must follow suit and adopt app-based authentication across the board .
In place of the old SMS or email OTPs, UAE banks are rolling out new verification technologies that are both more secure and convenient. The cornerstone of the replacement is in-app authentication via the bank’s official mobile banking app.
Whenever you initiate an online transaction (such as a fund transfer, bill payment, or card purchase), instead of receiving a 6-digit code by text, you’ll get a push notification on your phone. By opening your banking app, you can view transaction details and tap to approve or reject the request in real-time. This process is often protected by device security measures – you may need to use your fingerprint, face ID, or a secure PIN to confirm the action. In other words, the phone itself becomes the “token,” and your biometric login or PIN serves as the second factor.
These app-based approval prompts drastically reduce dependence on potentially vulnerable channels like telecom networks or email. “In-app push notifications and biometric authentication are safer alternatives because they eliminate dependence on the mobile network or email,” notes Carol Glynn, a UAE-based finance coach.
In-app verification requires customers to approve transactions within the bank’s app, often using fingerprints, facial recognition, or device-based
. Many banks have already built such features: for example, Emirates NBD’s Smart Pass and Abu Dhabi Commercial Bank’s Secure Digital Token are designed to let customers authorise transactions without any SMS code. Similarly, ADIB’s mobile app uses fingerprint/face ID for transaction approval, even for online card purchases, completely eliminating the need for OTP codes .
Beyond mobile app notifications, banks are adding other advanced security layers: behavioral biometrics (monitoring the user’s typical device habits and flagging anomalies) and even hardware security keys for high-value accounts. “UAE banks are now integrating behavioral biometrics into their mobile apps and online portals,” says cybersecurity expert Rayad Kamal Ayub, noting that some wealthy clients are given physical security tokens or keys for sensitive accounts.
The UAE Central Bank’s directive explicitly calls on banks to adopt “risk-based authentication technologies including Emirates Face Recognition, soft tokens, and biometrics.” This means we can expect wider use of the UAE’s national digital ID facial recognition (for verifying identity), cryptographic soft tokens embedded in apps, and various biometric checks as standard security measures.
The push to retire one-time passwords boils down to one thing: better security. Traditional SMS and email OTPs have been a mainstay of online banking security for years, but they’ve also become a weak link exploited by scammers. Fraudsters have developed numerous tricks to steal OTP codes, rendering them ineffective as a “secret” second factor.
Common attacks include SIM-swapping, where a criminal fraudulently duplicates your SIM card to receive your text messages (and thus your OTPs), and phishing schemes that fool users into entering their OTP on fake websites or divulging it over the phone . Cybersecurity experts in the UAE warn that “attackers can hijack mobile numbers or trick users via phishing to obtain OTPs, making it easy to bypass these security measures.”
The UAE has seen a surge in banking fraud cases tied to OTP theft. In one case reported by Khaleej Times, a victim lost his life savings after scammers cloned his SIM card and intercepted the OTP meant for him. Such incidents are becoming more frequent; SIM-swap attacks have doubled in the last few years in the region.
According to global data, SMS-based OTP fraud is a multi-billion-dollar problem, causing an estimated $6.7 billion in losses in 2021 alone. With phishing, malware, fake cell towers, and email hacks also in play, the one-time code delivered over public networks is no longer deemed secure enough for banking.
Aside from security, user experience and reliability are factors in the shift. OTP messages can be delayed due to network issues or even fail to arrive when customers are travelling abroad (a common complaint). Relying on SMS also means fragmenting the user journey – customers must switch between the banking website/app and their messages, which is inconvenient.
App-based approvals promise a smoother experience: faster, one-tap approvals and clear on-screen details of the transaction being authorised. “Besides stronger security, in-app approvals are also faster and more user-friendly, allowing one-tap confirmation and removing delays caused by SMS delivery,” explains Glynn. In short, the goal is to protect customers from fraud and streamline digital banking to make it hassle-free. Banks also benefit from fewer failed transactions (due to missed one-time passwords, or OTPs) and improved fraud detection built into their apps.
This nationwide transition away from OTPs is not just a trend – it’s mandated by regulators. In May 2025, the Central Bank of the UAE (CBUAE) issued confidential guidelines as part of an anti-fraud initiative, instructing banks to stop sending OTPs through “weak modes of communication” like SMS and email .
The Central Bank considers these channels vulnerable to compromise and, therefore, no longer acceptable for authenticating sensitive transactions. While the CBUAE did not make a public announcement specifically about OTP cancellation, it has set a clear rule behind the scenes: by March 2026, banks must have robust alternatives in place or face non-compliance consequences. The directive falls under a broader “prevention of fraud” regulation that has been circulated to all financial institutions.
Regulators and government bodies in the UAE are fully backing the move as part of efforts to enhance cybersecurity. The UAE Cybersecurity Council and law enforcement have repeatedly warned how scammers exploit OTPs to victimise consumers, urging stronger protections.
The OTP phase-out aligns with global trends – for instance, Singapore’s Monetary Authority issued a similar mandate to phase out SMS OTPs for certain banking actions. In the UAE’s case, the Central Bank’s guidance not only demands app-based or biometric login for transactions, but also calls for banks to implement real-time fraud monitoring and tighter customer controls . Banks are expected to suspend suspicious sessions and give customers new tools (like instant account freeze options) to combat fraud attempts.
Government officials frame this shift as part of the UAE’s digital transformation strategy. By weaning off outdated OTP methods, banks are nudged to adopt modern authentication innovations that are both more secure and convenient. “UAE banks and regulators are adopting groundbreaking authentication technologies to secure transactions, safeguard customer identities, and provide frictionless user experiences,” cybersecurity experts note.
The Central Bank’s vision is that embracing tech like biometrics, cryptographic tokens, and even emerging standards like passkeys (FIDO2-based passwordless logins) will strengthen trust in the financial system . In fact, the Central Bank’s directive specifically highlights “Emirates Face Recognition” – a state-of-the-art facial ID system – as a tool to be used for verifying customers’ identities remotely. These measures collectively aim to keep the UAE’s banking sector one step ahead of cybercriminals.
For bank customers in the UAE, the end of OTPs will bring some adjustments to your routine. Here’s what it means for you and how you can prepare:
In short, UAE banking customers should embrace the change as a positive step. The app-based authentication not only better protects your money from fraud, but also gives you more control. As one bank spokesperson put it, “Customers can now complete electronic transactions with ease via the smart application… [this] lets the customer directly authorise or reject transactions, making it harder for fraud to succeed.” Instead of typing a code, you’re actively involved in every transaction authorisation, which is a safer practice.
To keep track of key dates and milestones in this security overhaul, here’s a brief timeline:
The phasing out of one-time passwords in the UAE marks a significant evolution in digital banking security. For consumers, it means a short-term adjustment – getting used to your banking app being central to approving payments – but a long-term gain in safety and convenience.
Banks in the UAE are removing OTPs not to make your life harder, but to protect you from increasingly sophisticated fraud schemes and to streamline your online banking experience. The Central Bank’s initiative highlights the growing importance of cybersecurity in today’s financial services. By March 2026, logging into your account or transferring money will rely on something far more secure than a text message: your own fingerprint or face, and a secure app tied to your identity.
As UAE banks
– replaced by authentication methods that are tougher on criminals and easier for you. Stay alert, keep your banking app up to date, and enjoy the added peace of mind that comes with these enhancements.
Subscribe to our newsletter to get the latest updates and news
Founder & Editor-in-Chief of tbreak Media with 20+ years in tech journalism with bylines at CNET, TechRadar, PCMag and IGN, covering smartphones, gaming, home tech and more. UAE-based, bringing regional expertise to global product coverage.

source