Banks in the United Arab Emirates (UAE) have until March 31, 2026 to migrate all their customers to new methods of authentication after the Central Bank of UAE (CBUAE) demanded they stop using SMS messages and emails to send one-time passwords (OTPs). The order was only issued in June but some banks are already racing ahead with the transition. Emirates NBD, one of the country’s largest banks, announced this month that push-based authentication through their app will begin on November 1. Customers will progressively be introduced to app-based authentication, first for transfers and later for all transactions paid using the bank’s debit and credit cards.
Other countries have previously made the decision to stop the use of SMS OTPs for financial transactions. Malaysia started the trend by ending the using SMS for multi-factor authentication of bank transactions in 2023. Singapore then chose to follow Malaysia’s lead last year.
Changes like this typically provoke some negative reactions from customers who are unwilling to change their habits, and also from pseudo-experts who wrongly claim it will make banking less secure than before. Some of the public announcements made by banks in the UAE have said this change is necessary to keep pace with the leading cybersecurity practices of other countries. The UAE is well ahead of most other countries. Emiratis are being told about other countries because it will help to overcome potential resistance to the transition.
There are increasing signs that East Asian and Middle Eastern countries rank among the worldwide leaders in reducing scams by changing the way communications services can be used. These two regions are home to many of the first countries that mandated automated blocks on international inbound voice traffic that spoofed a domestic phone number. That practice is now becoming more widespread across Europe and has also proven to be effective in India and Australia. Other continents, like Africa and the Americas, are lagging behind. When it comes to setting policy to reduce the risk of comms networks being used to commit financial crimes, most of the exciting new policy developments now originate in the Middle East and East Asia.
It is inevitable that all countries will eventually stop the use of SMS for authentication because it is such an insecure communications channel. How long it takes a country to switch off the use of SMS OTPs for financial transactions will serve as a useful guide to how advanced that country’s economy is and how much its leaders care about protecting the public from crime. We need to ignore the way such changes are marketed to the public because this will vary according to national prejudices. As such, the reports published by the national press will often obscure how far ahead, or how far behind a country really is. There are some countries where lower levels of smartphone penetration will delay the adoption of app-based authentication. Sadly, there are also some countries where smartphones are the norm but policymakers dare not upset banks which argue that the cost of imposing app-based authentication on their customers is too great. They are wrong because the cost of crime due to weak controls like SMS-based authentication is much higher.
