UAE Banks Are Phasing Out OTPs: What It Means and What You Need to Do

Big changes are coming to how UAE bank customers verify transactions online. Banks across the United Arab Emirates are beginning to phase out one-time passwords (OTPs) sent via SMS text messages or email, in favour of more secure app-based and biometric authentication methods.

Starting July 25, 2025, a new directive requires banks to gradually phase out the use of OTPs for all domestic and international online banking transactions, with a full transition by March 2026. This move, mandated by the UAE Central Bank, aims to bolster digital banking security and enhance the customer experience as cyber fraud risks increase.

Which UAE Banks Are Removing OTPs and When

All major UAE banks are slated to comply with the OTP phase-out, but some have led the charge early. Emirates NBD, Abu Dhabi Islamic Bank (ADIB), and First Abu Dhabi Bank (FAB) are among the institutions that have already begun replacing SMS OTPs with in-app or biometric verification for most online banking transactions.

For example, ADIB notified customers via SMS that “SMS and email OTPs… will be phased out from July 25. Switch to ADIB mobile app for in-app authentication.”Even international banks operating in the UAE, like Citibank, have emailed customers that SMS OTP is no longer supported, urging users to approve online card payments through the bank’s mobile app instead .

This rollout is happening in phases rather than overnight. From July 25, 2025, banks will start gradually disabling OTP-by-text/email for new transactions and prompting customers to use their smartphone apps . By March 31, 2026, all UAE banks must completely discontinue OTPs sent via SMS or email . During the transition period (July 2025 – March 2026), some banks may temporarily allow OTPs for certain customers as a fallback , but the writing is on the wall: the one-time code by SMS will soon be a thing of the past.

Banks like Emirates NBD have been preparing for this for years – Emirates NBD introduced its “Smart Pass” in-app token back in 2020 to reduce reliance on SMS codes. Now, under the new Central Bank guidelines, all UAE banks must follow suit and adopt app-based authentication across the board .

What’s Replacing OTPs: App Notifications and Biometrics

In place of the old SMS or email OTPs, UAE banks are rolling out new verification technologies that are both more secure and convenient. The cornerstone of the replacement is in-app authentication via the bank’s official mobile banking app.

Whenever you initiate an online transaction (such as a fund transfer, bill payment, or card purchase), instead of receiving a 6-digit code by text, you’ll get a push notification on your phone. By opening your banking app, you can view transaction details and tap to approve or reject the request in real-time. This process is often protected by device security measures – you may need to use your fingerprint, face ID, or a secure PIN to confirm the action. In other words, the phone itself becomes the “token,” and your biometric login or PIN serves as the second factor.

These app-based approval prompts drastically reduce dependence on potentially vulnerable channels like telecom networks or email. “In-app push notifications and biometric authentication are safer alternatives because they eliminate dependence on the mobile network or email,” notes Carol Glynn, a UAE-based finance coach.

In-app verification requires customers to approve transactions within the bank’s app, often using fingerprints, facial recognition, or device-based authorisation. Many banks have already built such features: for example, Emirates NBD’s Smart Pass and Abu Dhabi Commercial Bank’s Secure Digital Token are designed to let customers authorise transactions without any SMS code. Similarly, ADIB’s mobile app uses fingerprint/face ID for transaction approval, even for online card purchases, completely eliminating the need for OTP codes .

Beyond mobile app notifications, banks are adding other advanced security layers: behavioral biometrics (monitoring the user’s typical device habits and flagging anomalies) and even hardware security keys for high-value accounts. “UAE banks are now integrating behavioral biometrics into their mobile apps and online portals,” says cybersecurity expert Rayad Kamal Ayub, noting that some wealthy clients are given physical security tokens or keys for sensitive accounts.

The UAE Central Bank’s directive explicitly calls on banks to adopt “risk-based authentication technologies including Emirates Face Recognition, soft tokens, and biometrics.” This means we can expect wider use of the UAE’s national digital ID facial recognition (for verifying identity), cryptographic soft tokens embedded in apps, and various biometric checks as standard security measures.

Why Are OTPs Being Phased Out?

The push to retire one-time passwords boils down to one thing: better security. Traditional SMS and email OTPs have been a mainstay of online banking security for years, but they’ve also become a weak link exploited by scammers. Fraudsters have developed numerous tricks to steal OTP codes, rendering them ineffective as a “secret” second factor.

Common attacks include SIM-swapping, where a criminal fraudulently duplicates your SIM card to receive your text messages (and thus your OTPs), and phishing schemes that fool users into entering their OTP on fake websites or divulging it over the phone . Cybersecurity experts in the UAE warn that “attackers can hijack mobile numbers or trick users via phishing to obtain OTPs, making it easy to bypass these security measures.”

The UAE has seen a surge in banking fraud cases tied to OTP theft. In one case reported by Khaleej Times, a victim lost his life savings after scammers cloned his SIM card and intercepted the OTP meant for him. Such incidents are becoming more frequent; SIM-swap attacks have doubled in the last few years in the region.

According to global data, SMS-based OTP fraud is a multi-billion-dollar problem, causing an estimated $6.7 billion in losses in 2021 alone. With phishing, malware, fake cell towers, and email hacks also in play, the one-time code delivered over public networks is no longer deemed secure enough for banking.

Aside from security, user experience and reliability are factors in the shift. OTP messages can be delayed due to network issues or even fail to arrive when customers are travelling abroad (a common complaint). Relying on SMS also means fragmenting the user journey – customers must switch between the banking website/app and their messages, which is inconvenient.

App-based approvals promise a smoother experience: faster, one-tap approvals and clear on-screen details of the transaction being authorised. “Besides stronger security, in-app approvals are also faster and more user-friendly, allowing one-tap confirmation and removing delays caused by SMS delivery,” explains Glynn. In short, the goal is to protect customers from fraud and streamline digital banking to make it hassle-free. Banks also benefit from fewer failed transactions (due to missed one-time passwords, or OTPs) and improved fraud detection built into their apps.

UAE Central Bank’s Directive and Government Stance

This nationwide transition away from OTPs is not just a trend – it’s mandated by regulators. In May 2025, the Central Bank of the UAE (CBUAE) issued confidential guidelines as part of an anti-fraud initiative, instructing banks to stop sending OTPs through “weak modes of communication” like SMS and email .

The Central Bank considers these channels vulnerable to compromise and, therefore, no longer acceptable for authenticating sensitive transactions. While the CBUAE did not make a public announcement specifically about OTP cancellation, it has set a clear rule behind the scenes: by March 2026, banks must have robust alternatives in place or face non-compliance consequences. The directive falls under a broader “prevention of fraud” regulation that has been circulated to all financial institutions.

Regulators and government bodies in the UAE are fully backing the move as part of efforts to enhance cybersecurity. The UAE Cybersecurity Council and law enforcement have repeatedly warned how scammers exploit OTPs to victimise consumers, urging stronger protections.

The OTP phase-out aligns with global trends – for instance, Singapore’s Monetary Authority issued a similar mandate to phase out SMS OTPs for certain banking actions. In the UAE’s case, the Central Bank’s guidance not only demands app-based or biometric login for transactions, but also calls for banks to implement real-time fraud monitoring and tighter customer controls . Banks are expected to suspend suspicious sessions and give customers new tools (like instant account freeze options) to combat fraud attempts.

Government officials frame this shift as part of the UAE’s digital transformation strategy. By weaning off outdated OTP methods, banks are nudged to adopt modern authentication innovations that are both more secure and convenient. “UAE banks and regulators are adopting groundbreaking authentication technologies to secure transactions, safeguard customer identities, and provide frictionless user experiences,” cybersecurity experts note.

The Central Bank’s vision is that embracing tech like biometrics, cryptographic tokens, and even emerging standards like passkeys (FIDO2-based passwordless logins) will strengthen trust in the financial system . In fact, the Central Bank’s directive specifically highlights “Emirates Face Recognition” – a state-of-the-art facial ID system – as a tool to be used for verifying customers’ identities remotely. These measures collectively aim to keep the UAE’s banking sector one step ahead of cybercriminals.

How Will This Affect Customers? What You Should Do

For bank customers in the UAE, the end of OTPs will bring some adjustments to your routine. Here’s what it means for you and how you can prepare:

• Use Your Bank’s Mobile App: If you haven’t already, download and install your bank’s official app on your smartphone. Going forward, transaction approvals must be done in-app – you’ll no longer receive SMS codes to confirm transfers or online purchases . Make sure you update the app to the latest version, as banks are rolling out new features to support in-app authentication.
  
• Enable Notifications & Biometrics: Once your banking app is set up, allow push notifications. This ensures you recieve an instant alert to approve a transaction whenever you initiate one . Also, consider enabling fingerprint or facial recognition login in the app’s settings (if available on your device) – this will make the approval process faster and more secure. Biometric authentication leverages unique traits that are much harder to steal than OTPs , adding an extra layer of protection.
  
• Learn the In-App Approval Process: The first time you make a transaction after OTPs are phased out, the new process may feel unfamiliar. Typically, after you enter a payment or transfer request online, a message will pop up on your phone: e.g. “Please open the XYZ Bank app to approve this transaction.” When you open the app, you’ll see the transaction details (amount, recipient, etc.) and options to “Approve” or “Decline.” Confirm that the details are correct, then tap Approve (and complete the fingerprint/Face ID/PIN as prompted). This real-time “active consent” step is essential – it ensures only you can authorise the action from your own device. If anything looks suspicious or you didn’t initiate it, you can hit Decline to block it, which is something you couldn’t do with a passive OTP code.
  
• Plan for Phone Issues: Since your phone and app are now key to your banking access, you should be prepared for scenarios such as losing or changing your phone. If you lose your phone, notify your bank immediately so they can disable app access on that device. Most banks have procedures to re-enable your app on a new phone securely (often involving visiting a branch or using your Emirates ID for verification). It’s also wise to keep your app login credentials and device PINs secure – never share your app password or allow others to register their biometrics on your device.
  
• No Opt-Out for Digital Banking: Importantly, if you prefer not to use a smartphone or banking app, you might face limitations. Eventually, using the mobile app for transaction verification will not be optional. Banks are encouraging even less tech-savvy customers to adapt, offering helplines and tutorials to guide them through the process. If you absolutely cannot use a mobile app, talk to your bank – a few banks may offer alternative arrangements (such as a physical token device), especially for senior citizens or special needs customers. However, these cases are exceptions; the vast majority of users will transition to the app system for any online activity.

In short, UAE banking customers should embrace the change as a positive step. The app-based authentication not only better protects your money from fraud, but also gives you more control. As one bank spokesperson put it, “Customers can now complete electronic transactions with ease via the smart application… [this] lets the customer directly authorise or reject transactions, making it harder for fraud to succeed.” Instead of typing a code, you’re actively involved in every transaction authorisation, which is a safer practice.

Timeline of the OTP Phase-Out in the UAE

To keep track of key dates and milestones in this security overhaul, here’s a brief timeline:

• May 2025: UAE Central Bank circulates an internal memo (fraud prevention guidelines) to financial institutions, advising that OTPs over SMS/email should be discontinued due to security vulnerabilities.
• June 2025: Banks begin alerting customers about upcoming changes. Some banks send pilot communications or begin offering in-app verification as an option. Emirates NBD, ADIB, FAB, and a few others are already well into transitioning customers to their app-based “Smart OTP” solutions.
• July 25, 2025: Official start of OTP phase-out. From this date, banks in the UAE “will begin phasing out” OTPs via SMS/email for all online and mobile banking transactions. New Central Bank guidelines take effect, and banks start defaulting customers to app authentication. Many customers receive SMS or email notices around this date – e.g. ADIB’s July 25 SMS about switching to the app, and Citibank’s email announcing SMS OTP is no longer supported.
• Late 2025: Gradual rollout continues. Banks monitor adoption and assist customers in making the transition. OTP messages may still be delivered in special cases or if a customer hasn’t updated the app yet, but usage of SMS OTP declines sharply. Increased public awareness campaigns run to educate users about not sharing any codes and being vigilant with the new system.
• By March 1–31, 2026: Full implementation deadline. By the end of March 2026, no bank in the UAE will send OTPs via SMS or email for transaction verification. All customers are expected to use app-based or equivalent secure methods. The Central Bank’s compliance deadline is March 2026 for a complete phase-out, after which any remaining use of SMS/email OTP would put a bank in violation of the mandate.
• Post-March 2026: The banking landscape in the UAE operates on passwordless or OTP-less frameworks. Verification is achieved through secure app notifications, biometrics, and tokens. The UAE will join a growing list of regions (like parts of Europe and Asia) that have modernised banking security by eliminating SMS OTPs. Regulators and banks will continue to fine-tune these systems, adding enhancements like passkeys for login and continuous authentication to stay ahead of fraud trends .

Conclusion

The phasing out of one-time passwords in the UAE marks a significant evolution in digital banking security. For consumers, it means a short-term adjustment – getting used to your banking app being central to approving payments – but a long-term gain in safety and convenience.

Banks in the UAE are removing OTPs not to make your life harder, but to protect you from increasingly sophisticated fraud schemes and to streamline your online banking experience. The Central Bank’s initiative highlights the growing importance of cybersecurity in today’s financial services. By March 2026, logging into your account or transferring money will rely on something far more secure than a text message: your own fingerprint or face, and a secure app tied to your identity.

As UAE banks adopt technologies such as biometrics, encrypted tokens, and real-time fraud monitoring, customers can take comfort in knowing that the old SMS code will soon be a thing of the past – replaced by authentication methods that are tougher on criminals and easier for you. Stay alert, keep your banking app up to date, and enjoy the added peace of mind that comes with these enhancements.

FAQs