Digital payments in India just got a significant security upgrade. From April 1, 2026, the Reserve Bank of India (RBI) has made two-factor authentication (2FA) mandatory for all online transactions — covering UPI, debit and credit cards, and mobile wallets.
The change means that a one-time password (OTP) alone will no longer be enough to complete a payment.
Also Read: AI may not destroy white-collar jobs so quickly: Former RBI Governor Raghuram Rajan
Under the new rules, every digital transaction will require at least two independent layers of verification. That could be a combination of an OTP with a PIN, password, biometric scan, or a hardware token.
For most everyday payments on trusted devices, the experience is expected to remain fairly seamless.
However, users may notice slightly longer processing times on new devices or when completing high-value transactions, where the security checks will be more rigorous.
The RBI has also built in a risk-based approach — meaning the intensity of authentication will vary depending on the nature and behaviour of the transaction, rather than applying a one-size-fits-all process.
The push for stronger authentication comes against a backdrop of rising online fraud in India.
Phishing attacks and SIM swap scams — where criminals intercept OTPs by hijacking a victim's mobile number — have exposed the vulnerabilities of single-layer, OTP-only systems.
By requiring an additional verification factor, the RBI aims to make it significantly harder for fraudsters to complete unauthorised transactions, even if they manage to obtain a user's OTP.
The new framework also shifts more responsibility onto financial institutions.
If a fraud occurs due to a failure in a bank's or payment platform's own systems, they may be required to compensate affected customers directly.
Experts say this provision is designed to push banks to strengthen their security infrastructure, while also ensuring that fraud complaints are resolved faster than they currently are.
The RBI has signalled that the authentication overhaul will not stop at domestic payments.
Similar 2FA norms are expected to be extended to international transactions, including cross-border card payments, with full implementation targeted by October 2026.
India's digital payments ecosystem has grown at a rapid pace over the past decade, with UPI alone processing billions of transactions every month.
The RBI's latest move reflects a calculated effort to keep pace with that growth — tightening security without fundamentally disrupting the convenience that has made digital payments mainstream.
As one expert put it, the extra verification step may feel like a minor inconvenience at first, but the reduction in fraud risk it brings is expected to benefit millions of everyday users over the long run.