OTP & SMS Security

RBI 2026 Mandatory 2FA Rules: What Indian Apps Must Do

Plain-English summary of RBI's April 2026 mandatory 2FA rules for digital payments, what counts as a valid second factor, and how OTP fits in.

3 May 20269 min read

StartMessaging Team

Compliance

From 1 April 2026, the Reserve Bank of India requires every digital payment to be protected by an “additional factor of authentication” (AFA). The headline grabbed attention but the operational details matter more — and SMS OTP is still a recognised second factor for most transaction tiers.

What Changed in April 2026

The 2026 framework moves AFA from a card-payment-only rule to a cross-channel rule covering UPI, prepaid wallets, recurring mandates, and net banking. It also introduces a risk-based tier where the chosen factor must scale with transaction value and user risk.

Who is Affected

  • Banks (issuers and acquirers).
  • Payment aggregators and gateways (PA/PG).
  • Prepaid Payment Instrument (PPI) issuers and wallets.
  • UPI apps and TPAPs.
  • NBFCs offering BNPL or instant-credit products.

Most fintech apps inherit compliance through their PG / aggregator, but you still need to demonstrate AFA on your own login and sensitive-action screens.

What Counts as a Valid Second Factor

RBI’s framework recognises three classes:

  1. Something you have: SMS OTP, push notification to a registered device, hardware token, silent network auth.
  2. Something you are: fingerprint, face, voice, or other biometric.
  3. Something you know: PIN or password (no longer enough on its own — must combine with one of the above).

Where SMS OTP Still Fits

For most consumer apps, SMS OTP is the cheapest and most universal “something you have.” It works on every Indian phone regardless of OS or smartphone status. Pair it with device binding for high-risk actions and you satisfy AFA across the full transaction ladder. See our deep-dive on silent authentication vs OTP for when each fits.

Exemptions and Risk-Based Auth

Low-value contactless payments under Rs 5000 may use a streamlined AFA flow (e.g. tap-and-go), and recurring mandates registered with AFA at setup don’t require AFA on each charge. Risk-based auth is encouraged: skip the second factor on low-risk repeats, escalate on anomalies.

Implementation Checklist

  1. Audit every authenticated action and tag its risk tier (low / medium / high).
  2. Map each tier to a factor combination (PIN+OTP, biometric+device, etc.).
  3. Add SIM-age and device-fingerprint checks for high-tier actions (defends against SIM swap).
  4. Log every AFA event with a tamper-evident audit trail.
  5. Document your AFA matrix and keep it ready for the next RBI inspection.

FAQ

Building a fintech? See our fintech OTP guide for the full architecture.

Related Articles

OTP & SMS Security
Silent Network Authentication vs SMS OTP in India (2026)

Silent Network Authentication is being piloted by Indian banks and telcos. How it differs from SMS OTP, when to use each, and why OTP isn't going away.

StartMessaging Team·4 May 20269 min read
OTP & SMS Security
SIM Swap Fraud and OTP: How to Protect Indian Users in 2026

How SIM swap fraud bypasses SMS OTP in India and the layered defenses (silent network auth, device binding, step-up checks) that keep your users safe.

StartMessaging Team·1 May 20269 min read
Use Cases
OTP for Fintech: 2FA, KYC, and Transactions

How Indian fintech apps use OTP for two-factor authentication, KYC verification, transaction authorization, and UPI linkage. RBI compliance and security best practices.

StartMessaging Team·29 Jan 202610 min read

Ready to Send OTPs?

Integrate StartMessaging in 5 minutes. No DLT registration required.

Get Started FreeRead API Docs