UAE Banks Have Removed SMS OTPs: What You Need to Do Now

By /

If you have noticed that your UAE bank is no longer sending OTP codes by SMS or email when you make online purchases, you are not imagining things. As of January 6, 2026, major banks across the UAE officially ended SMS-based one-time passwords for online card transactions, completing a shift mandated by the Central Bank of the UAE. Here is what changed, why it happened, and what you need to do.

What Changed?

From January 6, 2026, UAE banks stopped sending one-time passwords (OTPs) via text message or email for online card payments. Instead, all transaction approvals now happen inside your bank’s mobile application.

When you make an online purchase, rather than receiving a six-digit code on your phone, you will receive a push notification in your banking app. You then open the app, review the transaction details, and approve or decline the payment using fingerprint, facial recognition, or a secure in-app PIN.

Why Did This Happen?

The Central Bank of the UAE (CBUAE) issued a directive requiring all financial institutions to eliminate SMS and email-based OTPs by March 31, 2026. Many banks accelerated the timeline after a significant spike in SIM-swap fraud and phishing attacks in 2025.

SMS OTPs have become increasingly vulnerable because:

– SIM swapping: Fraudsters dupe telecom operators into transferring a victim’s mobile number to a new SIM, allowing them to receive OTPs.

– Phishing: Fake websites mimic bank portals to capture both passwords and OTP codes.

– SS7 protocol exploits: Technical vulnerabilities in the global SMS network can allow interception of messages.

The UAE is among the first countries in the world to mandate this switch at a national level, ahead of many European markets.

What Do You Need to Do?

To continue making online payments without disruption, follow these steps:

  1. Download your bank’s mobile app if you have not already (Emirates NBD’s ENBD X app, FAB Mobile, ADIB Mobile, etc.).
  2. Register and activate the app on your smartphone.
  3. Enable push notifications so transaction approval requests come through immediately.
  4. Set up biometric authentication — fingerprint or face recognition — within the app.
  5. Link your cards to the app for payment approval.

If you prefer not to use a mobile app, most banks allow you to submit a written request to retain SMS OTP access, but liability for any resulting fraud shifts to the customer in that case.

What Does the New Process Look Like?

Here is the new step-by-step flow when making an online card payment:

  1. Enter your card details on a website or shopping app as normal.
  2. Instead of an OTP pop-up, you will see a message on the payment screen asking you to approve the transaction via your bank app.
  3. An SMS alert may also arrive informing you to open your app.
  4. Open your banking app. A pending transaction notification will appear.
  5. Review the merchant name and transaction amount.
  6. Approve using your fingerprint, Face ID, or secure PIN.
  7. Payment is confirmed.

EmiratesNBD, FAB, ADIB, and most other major UAE banks have already completed this transition.

What If I Am Travelling Abroad?

This change is actually better for travellers. SMS OTPs frequently failed when using overseas SIM cards or roaming networks, causing card payment declines at hotels, car rentals, and restaurants abroad. The new in-app system works over Wi-Fi or mobile data, regardless of which country you are in or which SIM card you are using.

Global mobility advisors recommend ensuring your banking app is set up and fully tested before departing the UAE.

What Authentication Methods Are Now Accepted?

The CBUAE has mandated that banks adopt strong, phishing-resistant authentication. Accepted methods include:

– Biometrics: Emirates Face Recognition, fingerprint scanning

– In-app approvals: Push notifications with tap-to-authenticate features

– Soft tokens: Cryptographic in-app codes (FIDO2-standard passkeys)

– Behavioral biometrics: Background analysis of usage patterns

These methods are required for registering a new device, accessing a banking app for the first time, enrolling in instant payment services, and adding cards to digital wallets such as Apple Pay or Google Pay.

Frequently Asked Questions

Q: Will my online payments stop working if I don’t set up the app?

A: Yes. Without the banking app configured for in-app approvals, online card payments requiring 3D Secure verification will be declined.

Q: Does this affect all UAE banks?

A: Yes. The Central Bank of the UAE mandate applies to all licensed financial institutions, including banks, exchange houses, and payment service providers.

Q: What if I don’t have a smartphone?

A: You can request to keep SMS OTP access by submitting a written request to your bank. However, the bank will no longer be liable for fraud that occurs using the SMS method.

Scroll to Top