TL;DR
- UAE banks will stop using SMS and email OTPs for online and money transfer verifications
- In-app authentication will be the new standard for confirming transactions
- The shift begins July 25, 2025, with full rollout required by March 31, 2026
Starting Friday, July 25, 2025, banks in the UAE will begin moving away from one-time passwords (OTPs) sent via SMS or email, according to a report by Emarat Al Youm, a local news outlet. Instead, customers will need to use their bank’s mobile app to approve or reject digital transactions, both local and international.This change is being rolled out gradually across banks, and it comes from a directive issued by the Central Bank of the UAE. The final deadline for full implementation is March 31, 2026. By then, all banks must stop using SMS and email for transaction authentication.The switch is designed to improve security and reduce the risk of fraud, especially as cyberattacks on banks continue to rise. From phishing and SIM-swapping to ransomware, traditional OTP methods have become too easy for attackers to exploit.According to Emarat Al Youm, an official document circulated to banks said:“Based on instructions from the Central Bank of the UAE, please note that the receipt of one-time passwords via text messages or email will be gradually phased out. Customers can now complete electronic transactions with ease via the smart application by selecting the ‘authentication via mobile application’ feature.”
Why Is This Happening?
The Financial Threat
- According to the UAE Cybersecurity Council, public sector entities face and block over 50,000 attacks daily.
- As per UAE’s cybersecurity officials, ransomware attacks increased by 32% in 2024.
- Ransomware incidents in the UAE rose from 27 in 2023 to 34 in Jan–Nov 2024, reported by Acronis.
OTPs Are No Longer Safe
- OTPs sent by SMS or email can be hijacked through phishing, SIM-swapping, or malware
- Many users unknowingly hand over codes to scammers
- Once stolen, attackers can quickly empty accounts or transfer money abroad
What Will Change for You?
OTPs will be phased out and you’ll no longer get one-time codes via SMS or email. Instead, you’ll get a push notification from your bank’s appTransactions will need in-app confirmation
- When you make a payment, your bank app will ask you to approve or reject it
- You must have the app installed and notifications turned on
- This adds a real-time layer of security
What Banks Want Customers to Know
Bank officials say this is a better way to protect both users and systems. In quotes published by Emarat Al Youm, one official explained that the mobile app method lets the customer directly authorize or reject transactions, making it harder for fraud to succeed.This approach also means less reliance on networks that can be intercepted or spoofed. It adds a layer of active consent from the customer, instead of passive code entry.
FAQ
1. Will SMS OTPs still work for now?Yes, during the transition period. But expect them to disappear by March 2026.2. What happens if I lose my phone?Notify your bank immediately. They’ll freeze app access and help you reconnect safely.3. What if I don’t want to use a mobile app?Eventually, it won’t be optional. For digital transactions, mobile app authentication will become the only method available.