Last month the UAE Central Bank has mandated the end of SMS and email OTPs for financial services by March 2026 – joining a global regulatory shift toward phishing-resistant authentication. Director of Programmes Nick Rossman explores how the move reshapes digital identity strategy across banking, telecom, and CPaaS sectors, pushing innovation in secure alternatives like passkeys, app-based methods, and network APIs, while reinforcing SMS fraud prevention efforts.
The Central Bank of UAE (CBUAE) has issued a directive mandating the discontinuation of SMS and email-based One-Time Passwords (OTPs) for authentication in financial services by March 2026. This decisive move positions the UAE at the forefront of a global regulatory shift aimed at bolstering digital identity security and mitigating the growing threat of sophisticated cyberattacks.
For years, SMS OTPs served as a ubiquitous second factor in authentication. However, their inherent vulnerabilities to threats such as phishing, SIM swapping, SS7 exploits, and mobile malware have rendered them increasingly unreliable in the face of escalating cybercrime. Global financial losses from SMS pumping fraud alone reached an estimated $6.7 billion in 2023, underscoring the urgent need for more robust authentication mechanisms. The CBUAE’s mandate directly addresses these systemic weaknesses, compelling financial institutions to adopt secure, risk-based user authentication technologies.
MEF’s extensive body of reports on digital identity, authentication, and fraud frameworks provides essential insights and best practices. Initiatives such as the MEF Trust in Enterprise Messaging (TEM) framework are crucial in fostering a more secure messaging ecosystem. While the industry moves towards phishing-resistant authentication methods, there remains a critical need to address fraud across all messaging channels and “return trust to SMS” where it remains a viable communication tool.”
This regulatory action in the UAE is not an isolated event but rather a reflection of a burgeoning global trend. Similar directives and strong advisories are emerging from regulatory bodies worldwide, including Bank Negara Malaysia, the Monetary Authority of Singapore, and the European Union’s PSD2/PSD3 frameworks, all pushing for stronger authentication protocols. In the United States, agencies like the FBI and CISA have explicitly warned against SMS-based authentication, advocating for phishing-resistant methods such as passkeys and authenticator apps. Hong Kong is in the process of mandating device-based authentication, and reports suggest the Reserve Bank of India is planning to eliminate SMS OTPs for digital payments entirely.
The convergence in regulatory policy has been significantly accelerated by high-profile fraud incidents, such as the OCBC Bank phishing scams in Singapore and the “Salt Typhoon” incident in the US. These events have acted as critical catalysts, compelling immediate action and a shared recognition among governments and financial authorities regarding the systemic risks posed by SMS OTPs.
The transition away from SMS OTPs presents both significant challenges and strategic opportunities across the mobile ecosystem. Financial institutions face the complex task of overhauling legacy systems, incurring substantial development and integration costs, and managing operational complexities. Crucially, comprehensive customer education campaigns are vital to ensure a seamless transition, particularly for less tech-savvy or digitally excluded individuals.
For CPaaS (Communications Platform as a Service) providers, traditionally reliant on bulk SMS authentication traffic, the imperative is a strategic pivot towards offering comprehensive ‘customer interaction solutions.’ This involves diversifying into richer, more monetizable channels such as Rich Communication Services (RCS) and Over-The-Top (OTT) applications like WhatsApp, leveraging features like conversational AI and advanced campaign management. This move up the value chain aligns with initiatives focused on the evolution of messaging for enhanced customer engagement. To further support this evolution and enhance both security and user experience, global carriers are now more actively promoting Network APIs as a strategic alternative for seamless user verification. These APIs discreetly operate in the background with user consent, removing the need for traditional, interactive methods like entering verification codes. However, until Network APIs achieve global and unilateral adoption, SMS will remain a necessary fallback due to existing implementation challenges.
Mobile Network Operators (MNOs) face projected revenue challenges from the anticipated decline in Application-to-Person (A2P) SMS traffic. However, this also creates a strategic imperative for MNOs to adapt and innovate. Beyond merely reducing fraud on the SMS platform, MNOs must develop and promote advanced API suites, such as the SIM Swap API. These APIs leverage unique network-level security checks and provide value to enterprises that OTT channels cannot replicate, thereby positioning MNOs as critical components of the broader digital trust ecosystem. This aligns with the “Telco to TechCo through APIs” transition.
The Mobile Ecosystem Forum is actively guiding its members through this transformative period. MEF’s extensive body of reports on digital identity, authentication, and fraud frameworks provides essential insights and best practices. Initiatives such as the MEF Trust in Enterprise Messaging (TEM) framework are crucial in fostering a more secure messaging ecosystem. While the industry moves towards phishing-resistant authentication methods, there remains a critical need to address fraud across all messaging channels and “return trust to SMS” where it remains a viable communication tool.
To that end, MEF has been instrumental in advocating for and implementing initiatives to combat SMS fraud and improve the integrity of the channel. The SMS Sender ID Registry, for example, plays a vital role in verifying legitimate sender identities, making it harder for fraudsters to spoof messages. The MEF SMS Business Code of Conduct sets clear ethical guidelines for the industry, promoting transparency and best practices. Furthermore, the MEF Trusted Messaging Working Group brings together industry leaders to share intelligence, develop strategies, and implement solutions to proactively fight fraud and protect consumers. These initiatives are designed to safeguard the long-term future of SMS for its appropriate use cases, even as authentication shifts to more secure methods.
The future of digital identity is unequivocally moving towards phishing-resistant technologies, with passkeys, advanced biometrics, and intelligent app-based solutions poised to become the new standard for secure authentication. These solutions offer enhanced security while simultaneously improving the user experience, moving beyond the “authentication fatigue” often associated with SMS OTPs. However, robust authentication is only one component of a comprehensive security strategy. The industry must embrace a layered security approach, where strong authentication is seamlessly integrated into broader fraud detection and prevention frameworks that leverage real-time monitoring and advanced analytics.
Crucially, the success of this transformation hinges on robust public-private collaboration. This includes strengthening coordination between banks and telecom providers to counter threats like SIM swap fraud, integrating fintech and cybersecurity innovations, and driving widespread consumer awareness campaigns. MEF will continue to be a vital platform for driving standards, fostering innovation, and facilitating this essential collaboration across the entire mobile ecosystem. The mobile ecosystem is not merely adapting; it is actively reshaping the very foundations of digital trust for a more secure and efficient future for all.
