CBUAE SMS OTP Elimination Mandate: Guide for Financial Institutions

UAE banks are moving away from SMS OTP codes, and you might have noticed this already. Some customers have received notifications about switching to app-based authentication instead.

While there’s no official announcement yet, the shift is happening across multiple banks with a March 2026 timeline being mentioned. If you’re wondering why this change is taking place, we’re breaking down the reasons and what it means for your banking experience.

First up, let’s understand why SMS codes are being phased out.

Why are UAE Banks Stopping SMS OTP Codes?

SMS codes have become the weakest link in banking security. What started as a convenient way to verify your identity has turned into a highway for cybercriminals. The vulnerabilities are everywhere: SIM swapping (which stole $68 million in 2021 alone), message interception through SS7 protocol holes, real-time phishing on fake banking sites, mobile malware that reads your texts, and travel-related delivery failures that leave customers stranded abroad.

UAE’s situation makes it especially attractive to criminals. With over 96% internet penetration – one of the world’s highest – and high disposable income, UAE residents conduct more high-value digital transactions, making successful scams extremely profitable. 

What are The Approved Authentication Alternatives Per UAE Banking Regulations?

Since the UAE Central Bank hasn’t issued an official public notice specifically about stopping SMS OTPs, we don’t know their exact preferred replacements for this transition. However, we can look at other authentication methods that are already mentioned in guidelines alongside SMS codes.

The CBUAE’s current security frameworks reference several advanced authentication technologies that banks are authorized to use.

These methods represent the approved alternatives that financial institutions can implement under existing regulations.

• Biometric Authentication Systems

In biometric verification systems (such as Fingerprint scanning, face recognition, and voice verification), authentication happens directly within banking apps. The technology includes UAE liveness checks that ensure you’re actually present (not just holding up a photo), and UAE face match systems that compare your live image against your Emirates ID photo.

This biometric verification works in real-time and creates a unique mathematical signature from your physical features. Unlike passwords that can be guessed or codes that can be intercepted, your biometric data stays on your device and never travels over networks where it could be compromised. Signzy’s Face Match API, for instance, achieves over 99% accuracy when comparing live images against official documents.

• In-App Push Notifications

Your banking app sends a notification directly to your phone showing exactly what transaction is happening – the amount, recipient, and purpose. You simply tap “Approve” or “Deny” without typing any codes. Often, you’ll use your fingerprint or face scan to confirm, making the whole process take just seconds.

The security advantage is huge – there’s no code to steal because no code exists. The approval happens entirely within the encrypted banking app environment, making it nearly impossible for scammers to intercept. Emirates NBD pioneered this with their Smart Pass system back in 2020, and you can see transaction details before approving anything.

• Risk-Based Authentication Frameworks

The system continuously analyzes dozens of factors: your location, device, typing patterns, transaction history, and even the time of day you typically bank. Low-risk transactions (checking balance from your usual device) might need just a fingerprint, while suspicious activity triggers additional verification steps.

Machine learning algorithms build a profile of your normal behavior over time. If you suddenly try to transfer money from a new device in a different country at 3 AM, the system knows something’s unusual and asks for extra verification before allowing the transaction. From our experience working with financial institutions at Signzy, implementing these frameworks through ready-made APIs can reduce deployment time from months to just days.

• Cryptographic Solutions

These systems use public-key cryptography, where your device generates a unique digital signature for each transaction. Your phone holds a private key that never leaves the device, while the bank uses a corresponding public key to verify the signature came from you.

Hardware tokens and smart cards work similarly for high-value transactions, generating cryptographic proofs that are mathematically impossible to duplicate. Think of it like a digital fingerprint that’s unique to each transaction and can’t be forged or replayed by attackers.

Preparing for March 2026 – UAE’s SMS OTP Phase-Out Deadline

If you went about building authentication infrastructure from scratch, it could take months of development time and significant resources. In rare conditions, it’s possible to build everything in-house, but that means devoting your entire engineering team to authentication instead of focusing on your core banking products and customer experience improvements.

That’s where Signzy comes in. Our out-of-the-box APIs let you get enterprise-grade authentication infrastructure connected to your existing system and brand environment within just a few days.

• Biometric Identity Verification: Complete fingerprint, facial, and voice recognition systems that integrate directly with UAE Pass and Emirates ID for seamless customer onboarding and transaction verification.
• Face Match API: Advanced UAE face match technology that compares live selfies against government-issued ID photos with 99.5% accuracy, ensuring the person transacting is actually the account holder.
• Liveness Check API: Real-time UAE liveness checks that detect spoofing attempts using photos, videos, or masks, providing bank-grade security against sophisticated fraud attempts.

To see these Signzy solutions in action, you can book a no-obligation demo here.