Goodbye OTPs: How UAE's Shift to Passkeys Will Change Business Security Forever

Table of Contents 

Why Are OTPs Being Banned and Why Now? 
OTPs vs. Passkeys: What's Actually Changing? 
Which Businesses and Platforms Are Affected? 
The UAE's Authentication Timeline: Where Things Stand 
How GSIT Helps Your Business Navigate This Change 
What Happens If You Remain Non-Compliant? 

The UAE has become the world's first country to ban SMS-based one-time passwords, accelerating the adoption of passkeys in the UAE and redefining the future of passwordless authentication in the UAE. As organizations navigate this transition, GS IT is helping businesses implement secure authentication strategies and move toward stronger passkey authentication of business models designed for modern digital protection. 

For years, businesses relied on OTPs to verify users. But cyber risks have evolved, and organizations across the UAE are now moving to replace OTP with passkeys and adopt phishing-resistant authentication systems that are faster, safer, and more reliable for both customers and enterprises. 

The Central Bank of the UAE (CBUAE) formalized this transition by directing banks and licensed financial institutions to eliminate SMS and email-based OTPs. As of March 31, 2026, the deadline has passed, and enforcement is now fully in effect, positioning the country at the forefront of the future of digital security in UAE and setting new expectations for organizations aligning with UAE cyber security standards. 

This blog explains why OTPs were phased out, what replaces them, which businesses are affected, and how organizations can successfully transition to secure passwordless login for enterprise environments in the new regulatory landscape. 

Why Are OTPs Being Banned and Why Now? 

SMS OTPs were introduced as a convenient security layer with a quick code sent to your phone to confirm it is really you. For years, they worked. But cybercriminals are smarter now, and growing OTP security risks have made them one of the easiest doors to break into enterprise systems. 

Here is what makes SMS OTPs dangerous in 2026, and highlights why passkeys are safer than OTP authentication methods: 

• SIM Swap Attacks: Hackers call your mobile carrier, pretend to be you, and transfer your number to their SIM, instantly receiving all your OTPs. Modern authentication strategies focus on SIM swap attack prevention to reduce fraud exposure. 
• SS7 Protocol Flaws: The old technology that carries SMS messages has known security holes. Hackers can intercept messages in transit, and SMS is not encrypted, increasing OTP interception risks. Middle East organizations are actively working to eliminate. 
• Phishing: Fraudsters create fake websites or send fake messages, tricking users into typing in their OTP on a malicious page. This is why regulators are prioritizing phishing-resistant authentication across industries. 
• SMS Pumping: Automated fraud where systems generate fake authentication requests to rack up SMS costs and exploit the OTP infrastructure. 
• Man-in-the-Middle (MiTM) Attacks: Attackers position themselves between the user and the service, silently intercepting credentials and OTPs. 

The numbers tell the real story. OTPs are the entry point in 15–20% of all online fraud globally. In the UAE alone, over 40,000 people were scammed in 2023, losing an average of $2,194 each and fraud jumped 43% year over year, with SMS OTPs serving as the primary attack vector, a clear example of why UAE is moving away from OTP technologies toward stronger authentication frameworks. 

OTPs vs. Passkeys: What's Actually Changing? 

If not OTPs, then what? Here is a simple breakdown of what is replacing them and why it is better for everyone, especially when evaluating OTP vs passkey security in modern enterprise environments. 

Which Businesses and Platforms Are Affected? 

The CBUAE directive applies to all Licensed Financial Institutions, but the wave of change does not stop at banks. Every organization that uses OTPs for customer authentication needs to think about what replaces SMS OTP in enterprise environments and how passkeys will change business security across industries. Here is who needs to act: 

Banks & Financial Institutions: Directly mandated by CBUAE. Full compliance was required by March 2026. Liability shifts immediately for OTP-related fraud. 

Payment Platforms & Fintechs: Any platform processing payments must implement passkey authentication business strategies for every transaction. 

Healthcare Platforms: Patient portals and health apps handling sensitive data must upgrade login security to protect against breaches and support biometric authentication business in the UAE initiatives. 

E-Commerce & Retail: Online retailers with customer accounts and payment flows must adopt stronger authentication to maintain trust and support secure password less login for enterprise ecosystems. 

Enterprises & Corporates: Employee access to company systems, internal portals, and sensitive data must move beyond SMS-based verification as part of broader business cybersecurity UAE readiness strategies. 

Government Digital Services: UAE's digital government platforms are aligning with the same standards - biometrics and FIDO2 are the new baselines to meet UAE cybersecurity regulation compliance requirements. 

EdTech & Learning Platforms: Any app operating in the UAE that uses SMS OTPs for user login will face increasing pressure to upgrade. 

SaaS & App Developers: Digital platforms storing user data must ensure compliant authentication practices are in place to support long-term business cybersecurity and Dubai resilience. 

The UAE's Authentication Timeline: Where Things Stand 

May 2025 
CBUAE Issues Notice 2025/3057 

The Central Bank officially directs all licensed financial institutions to phase out SMS and email OTPs and adopt biometric and cryptographic alternatives, accelerating national UAE passkey adoption initiatives. 

July 25, 2025 
Banks Begin the Transition 

UAE banks start phasing out SMS OTPs for digital and card-based transactions. Emirates NBD, ADIB, and FAB are among the first movers. 

September 2025 
Major Banks Complete the Switch 

Several banks fully transition to biometric and in-app verification. Liability for 3DS OTP fraud immediately shifts to banks still using SMS. 

January 6, 2026 
SMS OTPs Officially End for Card Transactions 

Major banks formally confirm that SMS OTPs are no longer sent for online card purchases. App-based authentication becomes mandatory as organizations transition to password less authentication UAE replace OTP with passkeys frameworks. 

March 31, 2026 
Enforcement Now in Effect 

SMS and email OTPs are prohibited for all authentications. Any institution still using them faces regulatory action and full fraud liability while competitors advance with modern phishing-resistant authentication and passkey-based security. 
 

How GS IT Helps Your Business Navigate This Change 

At GS IT, we specialize in helping businesses in the UAE and across the region upgrade their security infrastructure compliantly, efficiently, and without disrupting your customer's experience. Whether you are a bank responding to post-deadline enforcement requirements or an enterprise rethinking employee access, we deliver solutions aligned with evolving UAE cyber security standards and enterprise-grade authentication requirements. 

The move away from OTPs is not just about compliance; it is an opportunity to build a fundamentally more secure digital operation and understand how passkeys work for business security in real-world enterprise environments. Here's how GSIT makes that transition smooth: 

Identity & Access Management (IAM): GS IT's IAM solutions give you centralized control over who accesses what, when, and how across all your platforms and user types. We implement industry-leading IAM frameworks that support passkeys, FIDO2, and biometric login right out of the box. No more scattered passwords and vulnerable OTPs, just clean, verified, controlled access. 

Multi-Factor Authentication (MFA) Upgrades: Already have an authentication setup? GSIT helps you upgrade it. We assess your current system and layer in modern MFA methods, push notifications, biometric verification, soft tokens, and FIDO2 passkeys, customized to your user base and regulatory requirements. Fully compliant with CBUAE directives. 

Secure Login Infrastructure Implementation: Building a new platform or upgrading an old one? GS IT designs and deploys secure authentication infrastructure from the ground. From Emirates Face Recognition integration to in-app cryptographic token systems, we ensure your login experience is both airtight and frictionless for end users. 

Zero Trust Security Models: In a Zero Trust model, no user or device is trusted by default even inside your network. GS IT implements Zero Trust architecture that continuously verifies every access request, monitors suspicious behavior in real time, and minimizes the blast radius if a breach ever occurs. This is the gold standard for enterprise security in 2026. 

What Happens If You Remain Non-Compliant? 

Many organizations assumed they still had time to make changes, but the deadline has already passed, and enforcement is now active. As authentication standards evolve across the UAE, the cost of inaction is becoming clearer for businesses of every size. The risks below highlight what is truly at stake. 

As of April 2026, organizations operating in the UAE are expected to comply fully with the new authentication requirements, with regulators shifting focus from transition to enforcement. 

Regulatory Risk: Non-compliant financial institutions face elevated risk ratings on CBUAE's internal dashboards and potential regulatory action, especially as UAE cybersecurity regulation compliance enforcement increases. 

Full Fraud Liability: If a customer is defrauded through an SMS OTP on your platform, the financial institution is responsible for the full loss, not the fraudster. 

Customer Trust Erosion: Users who experience fraud will leave and in the era of social media, they will tell everyone. Reputational damage compounds fast. 

Competitive Disadvantage: Banks and businesses that complete the transition early are already advertising it as a feature. Security is now a marketing differentiator in the era of passwordless authentication for UAE adoption. 

Rising Operational Costs: SMS costs between .$0.01 and $0.20 per message, and 10–15% of OTPs do not even arrive. Passkeys eliminate this entirely and strengthen long-term business cybersecurity Dubai cost efficiency. 

Future-proof your identity security now by partnering with GS IT to implement modern, secure authentication solutions.