The Reserve Bank of India (RBI) on 26 September 2025 issued new directions requiring banks and payment service providers to adopt additional, risk-based authentication measures beyond the current two-factor system, in order to strengthen security in digital transactions.
The Story
The RBI said at least one factor of authentication in a digital transaction — other than card-present swipes at physical points of sale — must be dynamically generated and unique to that transaction. This ensures that proof of possession, such as a one-time code or token, cannot be reused or intercepted.
“It shall be ensured that for digital payment transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction,” the central bank said in its notification.
It also stressed that compromise of one factor, such as a static password, should not affect the reliability of the second factor, thereby reducing the risk of fraud.
Why It Matters
-
Rising frauds: India has seen a surge in phishing, SIM-swap, and malware attacks targeting digital transactions.
-
Dynamic authentication: By mandating unique, transaction-specific credentials, RBI aims to close loopholes where stolen data could be reused.
-
Industry impact: Banks, wallets, and UPI providers will need to upgrade systems, potentially adopting AI-driven fraud detection and tokenisation.
Background / Context
-
Two-factor authentication (2FA): India already mandates 2FA for most online transactions, typically combining a password/PIN and a one-time password (OTP).
-
Global standards: The move aligns with global best practices such as the EU’s PSD2 rules, which require “strong customer authentication” based on possession, knowledge, and inherence.
-
Digital adoption: With UPI crossing 12 billion monthly transactions in 2025, security enhancements have become a regulatory priority.
Implications
-
For customers: Stronger protection against fraud, though it may add an extra step in some transactions.
-
For providers: Need to deploy advanced authentication tools like device fingerprinting, biometric checks, or cryptographic tokens.
-
For ecosystem: Could slow transaction speed slightly but enhance long-term trust in India’s digital payments architecture.
Conclusion
The RBI’s mandate for dynamic, risk-based authentication marks a new phase in securing India’s rapidly growing digital payments ecosystem. By requiring transaction-specific proof and non-overlapping factors, the regulator seeks to balance convenience with robust protection against evolving fraud risks.


