For countless residents in the United Arab Emirates, the familiar chime of an SMS arriving with a six-digit code has been an essential part of online life. This sound, synonymous with verifying a purchase, is now set to become a memory of the past. In a major move to bolster digital security, several leading UAE banks will officially cease sending One-Time Passwords via text message for online card transactions starting January 6, 2026.
Why UAE is Phasing Out SMS OTPs: A Security Imperative
This shift is not a simple policy tweak but a comprehensive security overhaul mandated by the Central Bank of the UAE (CBUAE). For years, SMS-based two-factor authentication was considered standard practice. However, the increasing sophistication of cybercriminals exposed critical vulnerabilities in the telecommunications network, which was never built for secure financial messaging. The CBUAE's directive, outlined in Notice 2025/3057, bans SMS and email OTPs as a standalone security method due to rising fraud.
The primary risks that prompted this change include SIM-swapping scams, where fraudsters hijack a victim's mobile number; phishing attacks that trick users into revealing codes; and the potential interception of messages via legacy telecom protocols. Industry reports indicate these methods have led to billions in losses globally, with a notable spike in such scams within the UAE recently.
The Future is In-App: How Your Online Payments Will Work
The new system replaces the vulnerable SMS channel with a secure, mobile-first authentication process. Known as "In-App Approval," this method keeps the verification entirely within your bank's encrypted application. Here is the new flow for an online purchase:
You proceed to checkout on a website or app and click 'Pay'. Immediately, a push notification from your bank's official app appears on your smartphone screen. Tapping this notification opens the app, displaying precise transaction details like the merchant's name and the exact amount. Finally, you approve the payment using biometric verification (Face ID or fingerprint) or your secure Smart Pass PIN.
This "closed-loop" system ensures the person authorizing the payment is physically in possession of the registered and trusted device. It also eliminates issues faced by travelers who frequently cannot receive SMS when roaming abroad.
What UAE Residents Must Do to Prepare
This change impacts every individual in the UAE who shops online or uses digital banking services. To ensure a seamless transition and avoid declined transactions, residents are urged to take the following steps immediately:
- Update your bank's mobile application to the latest available version.
- Enable push notifications and biometric login (fingerprint/Face ID) within the app's settings.
- Log into your banking app and complete any required authentication setup well before the January 6, 2026 deadline.
After SMS OTPs are phased out, any online card payment not verified through the bank's app will be declined. iPhone and Android users must also ensure their device settings permit notifications from their banking application. Banks recommend switching to the app-based method early to prevent any disruption to your digital payments.
This initiative is part of the Central Bank of the UAE's broader strategy to fortify the nation's digital banking infrastructure against evolving fraud patterns. While the final deadline for all banks to phase out SMS and email OTPs is March 2026, many institutions are implementing the change ahead of schedule. The goal is to align with global security best practices, drastically reduce fraud, and offer customers a more secure, convenient, and unified payment experience.
