UAE Banks to Phased Out SMS OTPs for Online Transactions

If you’ve been in the UAE for a while, those SMS codes you’ve relied on for online shopping have probably felt like a constant companion. However, come January 6, 2026, several prominent banks in the UAE will discontinue sending one-time passwords (OTPs) through text messages for online payments.

This change signals a significant shift in the banking landscape, ordered by the Central Bank of the United Arab Emirates (CBUAE). While SMS codes have long been the standard for two-factor authentication, they now appear vulnerable due to increasing sophistication among hackers. The vulnerabilities in SMS systems seem too substantial to overlook.

Why Are UAE Banks Ending SMS OTP?

The underlying motivation here is straightforward: security. While SMS may be easy, it’s transmitted over open networks that weren’t designed for sensitive financial transactions. Consequently, they become attractive targets for various scams, including:

• **SIM swapping:** Criminals deceive mobile providers into transferring your number to a new SIM, essentially stealing your identity and intercepting OTPs.
• **Phishing scams:** Scammers design fake websites resembling banks or delivery services, tricking users into entering their OTPs.
• **Interception:** Advanced hackers can exploit the outdated “SS7” protocol to capture SMS messages during transmission.

Reports indicate that fraud linked to SMS has resulted in billions of dollars in global losses. The UAE has not been immune, with a notable rise in fraud cases, prompting the central bank to issue Notice 2025/3057, which effectively bans SMS and email OTPs as standalone security measures.

What is In-App Approval?

The future of banking in the UAE revolves around in-app authentication. Instead of waiting for a text and manually entering a code, everything is streamlined. Here’s what your next online purchase will look like:

• **Trigger:** Click “Pay” on a shopping site or app.
• **Notifications:** You’ll receive push notifications straight from your bank’s official app instead of via SMS.
• **Review:** Tapping the notification opens the app, showing you details like the merchant name and amount, so you won’t have to guess what you’re typing.
• **Authorization:** Confirming your transaction can be done through biometrics (like Face ID or a fingerprint) or a secure Smart Pass PIN.

This method creates a “closed loop” system that guarantees the person validating the transaction has access to a trusted device. It removes reliance on phone networks, a significant advantage for travelers who often have difficulties receiving SMS codes abroad.

What Must Residents Do Now?

This change isn’t just a technical tweak; it affects everyone who shops online or engages in digital banking in the UAE. To prep for this, residents should:

• Update their bank’s mobile app to the latest version.
• Enable push notifications and biometric logins in the app settings.
• Log into their accounts and finish the verification setup before January 6th.

Why Act Now?

Once SMS OTPs are phased out, you won’t be able to authorize online card purchases with text codes. Without proper authentication through the bank app, transactions will be rejected. For iPhone and Android users, it’s essential to ensure device settings permit notifications from banking apps.

If you haven’t switched to app-based authentication yet, banks generally recommend doing this well ahead of the deadline to avoid any interruptions. This initiative is part of a broader strategy by the UAE Central Bank to enhance digital banking infrastructure. Regulators aim to eliminate SMS and email OTPs by March 2026, although banks are implementing changes earlier. This approach seeks to curb fraud and align with global best practices as digital fraud landscapes evolve. With in-app authentication, incorporating biometrics and encrypted channels, banks hope to establish a more secure, convenient, and unified payment experience for their customers.