India's digital payment landscape is now more secure as two-factor authentication becomes mandatory for all transactions, including UPI, offering enhanced protection against fraud and unauthorised access.
Key Points
- Two-factor authentication (2FA) is now mandatory for all digital transactions, including UPI, to enhance security.
- The RBI's directive requires users to complete two verification steps for each transaction, preventing unauthorised payments.
- Acceptable 2FA methods include one-time passwords (OTP), fingerprint authentication, and facial recognition.
- Banking apps will restrict screenshots and screen recordings to protect users from fraud.
- While 2FA may add a slight delay to transactions, it significantly improves the security of digital payments.
Two-factor authentication for all digital transactions, including popular UPI platform, becomes effective from Wednesday in line with the RBI's direction as a measure to curb fraud.
Transactions will only be processed if the user completes both verification steps, meaning even if someone sees your PIN, unauthorised payments will not be able to go through.
According to the Reserve Bank of India (RBI), all digital payment transactions in India are required to meet the norm of two-factor authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based one-time password (OTP) as the additional factor.
All payment system providers and payment system participants, including banks and non-bank entities, will ensure compliance with these directions by April 01, 2026, it had said.
The central bank introduced two-factor authentication (2FA) to reduce bank fraud and improve accountability.
Enhanced Security Measures
From today onwards, users will not be able to make transactions by simply entering their UPI PIN, but will also have to verify the transaction by either entering a one-time password (OTP), fingerprint authentication or facial recognition.
Besides, the user will not be able to take screenshots or screen recordings in the banking app, as it is completely banned to protect the user from any fraud.
The 2FA could lead to a few seconds' delay in the transaction, as one has to feed the other OTP.
In an ecosystem like UPI, where transactions settle in seconds, the only meaningful window to act is before the transaction is completed, Anil Tadimeti, Director, (Strategy & Regulatory Affairs), Bureau said.
"This is where authentication needs to evolve. Trust has to be established through context, by combining who you are, what you know, and what you have, and evaluating these signals in real time," he added.
© 2026