New Delhi— Digital payments in India are set to become more secure from April 1, 2026, as the Reserve Bank of India (RBI) makes two-factor authentication (2FA) compulsory for all online transactions.
Under the new rules, payments made through Unified Payments Interface (UPI), debit and credit cards, and mobile wallets will require at least two layers of verification. This means that a one-time password (OTP) alone will no longer be enough to complete transactions.
Users will now need to combine OTP with another authentication method such as a PIN, password, biometric verification, or a secure token. The move comes amid rising cases of online fraud, including phishing and SIM swap scams, where OTP-only systems have been vulnerable.
The RBI said the additional security layer is aimed at reducing unauthorised transactions and strengthening trust in digital payment platforms. However, the change may make payments slightly more time-consuming, particularly on new devices or for high-value transactions. Regular payments on trusted devices are expected to remain relatively smooth.
The new framework will also follow a risk-based approach, where the level of verification depends on the nature and behaviour of each transaction.
Another key feature is increased accountability for banks and payment platforms. If fraud occurs due to a lapse in their systems, financial institutions may be required to compensate customers. This is expected to speed up complaint resolution and encourage stronger security infrastructure.
The central bank has also indicated that similar authentication norms will be extended to international transactions, including cross-border card payments. Full implementation of the new rules is expected by October 2026.
With digital payments growing rapidly, experts say the additional step may be a minor inconvenience but could significantly reduce fraud risks and make everyday transactions safer for millions of users.
With inputs from IANS