RBI issues new directions for digital transaction authentication

• All digital payment transactions in India are required to meet the norm of Two-Factor Authentication (2FA). 

• While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor.

• In order to enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms, Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 has been published. 

• All digital payment transactions shall be authenticated by at least Two-Factor Authentication.

• The factors of authentication can be from ‘something the user has’, ‘something the user knows’ or ‘something the user is’ and may comprise password, SMS-based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based).

• The new rules specify that at least one of the factors of authentication is dynamically created or proven, wherein the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.

• The system should also be robust, wherein compromise of one factor does not affect reliability of the other.

• The directions provide the broad principles which shall be complied with by all the participants in the payment chain, while using a form of authentication.

• While these directions are applicable only to domestic transactions, in order to provide a similar level of safety for online international transactions undertaken using cards issued in India, the directions also incorporate necessary instructions for specific cross-border card transactions.