More UAE banks tighten security with biometric logins and AI fraud checks as SMS OTPs fade

UAE banks are phasing out SMS and email OTPs in favor of in-app approvals, biometrics, and risk-based authentication. Backed by new Central Bank rules and tighter AI governance, the shift aims to curb impersonation scams and SIM-swap attacks while streamlining digital banking for customers.

·9 min read
UAE bankingbiometricsAI fraud detectionauthentication

UAE banks move beyond SMS OTPs

UAE banks are accelerating a major security shift. Under new directives from the Central Bank of the UAE, SMS and email one-time passwords will be phased out and replaced with in-app approvals, biometric logins, and risk-based authentication. The goal is clear. Raise the bar on security across the financial system and shut down the fraud techniques that have exploited legacy OTPs.

By the end of March 2026, licensed financial institutions are expected to complete the transition away from SMS and email-based codes. That said, many banks are already nudging customers toward app-based authentication. This is part of a broader push to strengthen fraud detection, improve AI governance, and build operational resilience across digital banking.

The change touches everyday tasks. Online shopping, local and international transfers, bill payments, and card-not-present transactions will increasingly require approval inside your banking app rather than a six-digit code sent by text.

What changes for your day-to-day banking

Instead of waiting for a text message or checking your email, you will approve transactions directly in your banking app. Banks are leaning on fingerprint and facial recognition along with secure app PINs to verify identity and confirm payments.

Expect to see prompts like "Authentication via App" or similar options inside your bank's mobile app. These flows are designed to be fast and familiar. If your device supports biometrics, you tap to approve with your face or fingerprint. If not, a secure app PIN will be used.

  • Online purchases: Card payments may require you to confirm in-app instead of entering a code from SMS.
  • Transfers and bill payments: New payees, higher amounts, or unusual patterns may trigger in-app approvals.
  • Profile and security changes: Updating contact details, limits, or passwords may need biometric confirmation.
  • Card controls: Freezing a card, changing usage limits, or enabling e-commerce can require in-app authorization.

For most customers, this removes the hassle of late or lost OTPs and provides a more secure link between your device, your identity, and your transactions.

Why SMS and email OTPs are being phased out

SMS and email OTPs have been a workhorse for years, but they come with well-known weaknesses. Criminals have repeatedly exploited them through SIM-swap attacks, phishing, and social engineering. In many cases, victims are tricked into revealing an OTP over the phone or through fake websites. Malware can also read text messages on compromised devices.

These attacks have driven higher fraud losses across the region, especially as digital payments have grown. Regulators and banks agree that OTPs sent over channels outside the banking app create avoidable risk. Bringing approvals into the app, combined with biometrics and device checks, helps ensure that even if a phone number or email is compromised, the attacker still cannot authorize transactions.

Risk-based authentication takes center stage

Not every transaction carries the same risk. That is where risk-based authentication comes in. Banks analyze signals like device reputation, location, transaction amount, and user behavior to decide when to keep things low-friction and when to step up verification.

If everything looks normal, you might glide through with a simple in-app tap. If something looks off, the app will ask for biometrics or a secure PIN. This balances security with convenience and reduces the need for blanket, one-size-fits-all checks.

  • Active call detection: Alerts when a customer is on a live call during a high-risk action, a common scenario in impersonation scams.
  • Screen sharing detection: Flags when a device appears to be sharing its screen, a tactic scammers use to watch and guide victims.
  • New device or location: Triggers additional checks when a transaction originates from an unfamiliar device or region.
  • Unusual behavior: Looks for patterns that do not match your typical login or payment habits.
  • Higher value transactions: Steps up authentication when amounts exceed normal ranges.

These capabilities aim to disrupt scams in real time. If a fraudster is coaching a victim over the phone or directing them to share their screen, the app can block or escalate the transaction before money moves.

AI fraud checks and real-time scam disruption

Banks are also tightening fraud controls with new AI-driven monitoring. Machine learning models sift through signals across devices, accounts, and networks to spot anomalies and emerging patterns. When a transaction seems suspicious, the system can require biometric validation, push a step-up challenge, or hold the payment for further review.

New rules encourage the use of behavioral intelligence that recognizes when a user appears to be under duress or following a scammer's prompts. Combined with active call and screen sharing detection, this creates additional layers of defense that are far harder to bypass than a simple OTP.

Impersonation scams remain a major threat across the Middle East. Criminals pose as bank staff or government officials and pressure people to act quickly. Social media phishing is increasingly targeting younger users, and romance scams continue to cause losses. The move to in-app approvals and AI checks is a direct response to this surge.

Stronger AI governance from the central bank

Alongside the authentication changes, the Central Bank has issued guidance for how financial institutions should deploy artificial intelligence and machine learning. The framework sets accountability standards for models used in risk monitoring, fraud detection, and customer profiling. It emphasizes safeguards for automated decision-making, including governance, transparency, and human oversight.

The intent is to ensure that AI enhances consumer protection, not undermines it. Banks are expected to monitor model performance, guard against bias, and document how decisions are made. Data protection requirements are central, with clear expectations around privacy and security.

For customers, this means more consistent, explainable decisions when AI is in the loop. For banks, it means building processes and controls that can stand up to regulatory scrutiny while still catching fraud at scale.

Biometrics expand beyond the app

The Central Bank has also piloted facial and palm biometrics for payments, a first in the region. These pilots point to a future where biometrics play a bigger role not just in logging in but also in authorizing payments across channels. The aim is to reduce reliance on passwords and fragile codes, while making transactions faster and more secure.

Biometrics offer strong security when implemented correctly. Still, banks must design for inclusivity with multiple options, like a secure app PIN, for situations where biometrics are not available or do not work well. Clear consent, strong encryption, and device-level storage for biometric templates are also key to maintaining trust.

What customers should do now

If you bank in the UAE, a few simple steps will smooth the transition and help keep your accounts secure.

  • Update your banking app: Install the latest version to access in-app approvals and security updates.
  • Enable biometrics: Turn on fingerprint or face authentication if your device supports it.
  • Learn the new flow: Get familiar with approving logins and payments inside the app.
  • Stay alert to scams: Bank staff will not ask you to share codes, screen-share your phone, or approve unknown transactions.
  • Protect your device: Use a device passcode, keep your OS up to date, and avoid installing unknown apps.
  • Review contact details: Make sure your phone number and email on file are current to receive important alerts.

As banks deprecate SMS and email OTPs, expect fewer text messages asking you to confirm transactions. If you receive one and it seems out of place, treat it as a red flag.

What this means for banks across the market

Larger institutions are generally further along in deploying in-app authentication and advanced fraud controls. Some smaller banks are now ramping up to meet the requirements, which can include new detection tools, analytics, and customer education. The shift is as much operational as it is technical.

Consistency will matter. Customers should see clear, simple prompts and minimal friction unless risk is high. Behind the scenes, banks will be aligning their fraud teams, technology stacks, and governance processes to comply with the Central Bank's expectations on AI and security.

Impact on the wider digital economy

For e-commerce and digital payments, stronger authentication should reduce fraud over time. There may be a short adjustment period as customers get used to in-app approvals instead of OTPs. Clear instructions at checkout and within banking apps can help keep abandoned transactions low.

As risk-based controls mature, legitimate transactions should flow with less friction, while risky ones face tighter scrutiny. That is the balance regulators and banks are aiming for.

Privacy and data protection stay front and center

With more reliance on biometrics and AI, privacy and data protection are critical. Banks are expected to secure biometric data, minimize what they store, and keep sensitive data on the device where possible. The Central Bank's AI guidance reiterates the importance of human oversight, transparency, and data protection.

Customers can play a role by reviewing app permissions, using secure device settings, and avoiding risky behavior like jailbreaking devices or sharing screens with unknown parties. Trust is built when strong tech meets clear communication.

Timeline and what to expect next

Banks are working toward a March 2026 deadline to retire SMS and email OTPs in favor of in-app and biometric approvals, backed by risk-based controls. Some institutions will move faster, and you may already see fewer SMS requests or new prompts inside your banking app.

Expect continued enhancements as banks refine their fraud models and broaden biometric options. The overall direction is set. More secure, app-centric approvals with AI-driven monitoring and tighter governance across the sector.

Key takeaways

  • SMS and email OTPs are being phased out across UAE banks, with a shift to in-app approvals, biometrics, and risk-based authentication by March 2026.
  • Fraud defenses are getting smarter, including active call and screen sharing detection and behavioral intelligence to block real-time scams.
  • AI governance is tightening, with clear rules for accountability, oversight, and data protection in financial services.
  • Everyday banking will feel different. Expect to approve transfers and online purchases inside your app with fingerprint, face, or a secure PIN.
  • Scam awareness still matters. Never share codes, do not screen-share with strangers, and question any urgent payment requests.

The bottom line. This is a significant upgrade to the UAE's digital banking security. It aims to cut fraud without adding needless friction, giving customers a safer and more streamlined way to bank.

Tags#UAE banking#biometrics#AI fraud detection#authentication#cybersecurity
Tharun P Karun

Written by

Tharun P Karun

Full-Stack Engineer & AI Enthusiast. Writing tutorials, reviews, and lessons learned.

Related Reading
AIFeb 19, 2026

Microsoft says Copilot was summarizing confidential emails without permission

A Copilot Chat bug in Microsoft 365 pulled and summarized emails marked confidential, bypassing data loss prevention policies. Microsoft has deployed a fix, but the incident highlights new risks that come with AI assistants in the workplace.

7 min readRead →
AIFeb 27, 2026

What’s New With GitHub Copilot Coding Agent 2026: Models, Self-Review, Security, Custom Agents, and CLI Handoff

GitHub Copilot coding agent now ships with a model picker, built-in self-review, integrated security scanning, custom agents that codify your team’s workflows, and seamless cloud-to-local handoff. Here is how these updates make background tasks faster, safer, and easier to review.

7 min readRead →
AIFeb 19, 2026

AI Coding Tools Flood Open Source With Low-Quality Code

Open-source maintainers are seeing a surge of AI-generated pull requests that compile but fail on architecture, maintainability, and security. Speed has gone up, but merge quality and reviewer bandwidth are under strain, exposing a growing gap between code generation and sustainable software development.

9 min readRead →
← Back to all posts
Published February 28, 2026