Money Laundering Regulations 2017 UK AML Guide

The CBUAE SMS & OTP Ban: A Golden Opportunity for UAE Banks

By March 2026, the Central Bank of the UAE (CBUAE) will officially end the use of SMS and One-Time Passwords (OTP) for all financial institutions in the country. While some may view this as a compliance burden, forward-thinking banks see this mandate as a golden opportunity to redefine digital banking in the UAE.

This shift signals the end of a security mechanism that, while familiar, is increasingly vulnerable to sophisticated attacks. For financial institutions, embracing passwordless authentication using passkeys is not just a regulatory requirement—it’s a strategic move to enhance security, improve customer experience, and reduce operational costs.

Understanding the CBUAE Mandate

Why the Change Was Needed

The CBUAE’s directive stems from a growing concern over the risks associated with SMS OTP. Financial institutions have long relied on SMS OTP as a standard for multi-factor authentication. Yet, as cyber threats evolve, so too must security measures.

SMS OTPs have been shown to be vulnerable to:

  • SIM swap attacks where criminals intercept messages by duplicating a customer’s mobile identity.
  • Phishing attacks where attackers trick users into revealing one-time codes.
  • Man-in-the-middle attacks, which intercept SMS messages in transit.

The mandate aims to mitigate these risks and push UAE banks toward more robust, phishing-resistant authentication solutions.

Why SMS OTP Is No Longer Secure

The Rise of Phishing, SIM-Swapping, and Social Engineering

Cybercriminals are constantly developing new methods to exploit traditional authentication systems. SIM-swapping has become particularly prevalent in the UAE due to the increasing value of financial accounts and mobile banking adoption. Attackers often pose as mobile providers, convincing telecom operators to reassign a number to a new SIM card—giving them direct access to OTP messages.

Phishing attacks have also grown more sophisticated with AI-powered tools, enabling attackers to craft emails, messages, and even deepfake calls that convince customers to share their OTP codes.

Operational & Customer Experience Limitations

Beyond security, SMS OTP systems introduce friction into the customer journey. Delayed OTP messages, failed deliveries, and network issues frustrate users and result in higher call volumes to customer service centers. For banks, this translates into:

  • Increased operational costs
  • Lower digital adoption rates
  • Customer dissatisfaction and churn

SMS OTP is no longer scalable for modern banking expectations.

Passkeys: The Phishing-Resistant Alternative

With SMS OTP on the way out, passkeys have emerged as the preferred alternative for secure, frictionless authentication. Passkeys are passwordless credentials that use device-based cryptography and biometrics to authenticate users without transmitting codes over insecure channels.

How Passkeys Work

Passkeys leverage the security of FIDO (Fast Identity Online) standards. When a user registers a device, a cryptographic key pair is generated:

  • The private key stays securely on the device.
  • The public key is stored with the bank’s authentication server.

During login, the device signs a challenge using the private key, confirming the user’s identity. This approach eliminates passwords and OTP codes entirely, preventing theft, phishing, or interception.

Security Benefits for UAE Financial Institutions

  • Phishing-Resistant: Public/private key cryptography ensures that login credentials cannot be stolen or reused.
  • Device-Bound Authentication: The passkey is linked to a specific device and app or website, neutralizing MITM attacks.
  • Biometric Verification: Face ID, fingerprint, or other biometrics ensure that only the authorized user can authenticate.

By adopting passkeys, banks can dramatically reduce fraud risk while building trust with customers.

Frictionless Customer Experience

Passkeys simplify authentication for end-users. No more waiting for delayed SMS codes, entering multiple digits, or managing passwords. Customers log in with a simple fingerprint or facial scan—making banking faster, more intuitive, and less frustrating.

A smooth experience boosts digital adoption, encouraging customers to engage more frequently with online services and mobile apps.

Operational Cost Savings

Financial institutions also benefit from significant cost reductions:

  • Eliminating SMS delivery fees
  • Reducing password-related support tickets
  • Freeing IT resources for innovation rather than resets

These savings can be reinvested in digital transformation initiatives, improving overall competitiveness.

Extending Passkeys Beyond Login With CIAM

Secure Customer Onboarding

Passkeys allow banks to verify identities securely at account creation, reducing the risk of fraud from the outset. Using device biometrics and cryptographic verification ensures that only legitimate users can open accounts or access services.

Protecting High-Value Transactions

For sensitive operations like fund transfers, passkeys can trigger step-up authentication—requiring additional biometric confirmation before completing the transaction. This ensures security without adding friction for everyday banking activities.

Unified Digital Experience Across Channels

CIAM platforms allow passkeys to integrate seamlessly across:

  • Mobile banking apps
  • Web portals
  • Third-party banking integrations

This creates a consistent, secure experience for all digital touchpoints.

Truoco: Enabling UAE Banks to Lead in Passwordless Security

To navigate this transition successfully, banks need a trusted partner. Truoco specializes in identity verification and passwordless solutions for financial institutions, providing:

  • Rapid integration with SDKs and APIs designed for scale
  • FIDO-certified passkey technology
  • Compliance with UAE banking regulations
  • Support for remote onboarding, transaction security, and CIAM

By partnering with Truoco, banks can accelerate the shift to passwordless, phishing-resistant digital banking, gaining a competitive edge while meeting the CBUAE’s March 2026 deadline.

Rapid Time-to-Market With Truoco

Truoco’s platform allows banks to implement passkeys quickly, with minimal disruption to existing systems. Flexible SDKs and APIs reduce development cycles, enabling fast adoption across mobile, web, and internal applications.

Banks can also customize workflows to match risk levels, ensuring that higher-risk transactions or users are subject to additional verification while everyday banking remains seamless.

Proven Security & Compliance for Financial Institutions

  • FIDO2 and WebAuthn for secure, device-bound authentication
  • UAE National Cybersecurity Regulations for financial institutions
  • Data protection laws ensuring sensitive customer data remains secure

With Truoco, banks are not just compliant—they’re future-ready.

Preparing for the March 2026 Deadline

Financial institutions must act now. A phased implementation strategy is recommended:

  • Audit existing authentication methods and identify gaps.
  • Pilot passkey implementation with select digital services.
  • Integrate Truoco solutions for seamless CIAM adoption.
  • Educate staff and customers on the benefits and usage of passkeys.
  • Monitor and iterate to ensure security and usability remain optimal.

Early movers will set the standard for secure, passwordless digital banking in the UAE.

Conclusion & Next Steps

The CBUAE’s SMS OTP ban is more than a regulatory requirement—it’s a strategic opportunity. Banks that embrace passkeys and CIAM solutions will gain:

  • Stronger fraud prevention
  • A superior customer experience
  • Reduced operational costs

Partnering with Truoco allows UAE financial institutions to implement passwordless authentication across the customer lifecycle, from onboarding to high-value transactions. Early adoption ensures compliance, enhances security, and positions banks as leaders in next-generation digital banking.

If your bank is preparing for the March 2026 deadline, now is the time to explore Truoco’s phishing-resistant passkey solutions and begin transforming your digital authentication strategy today.

Share this article:

Frequently Asked Questions About Identity Verification

Why is the CBUAE banning SMS OTP by March 2026?

SMS OTP is vulnerable to phishing, SIM-swapping, and social engineering attacks, creating significant security risks.

What are passkeys, and how do they work?

Passkeys are cryptographic, passwordless credentials stored on a user’s device. Authentication occurs via biometrics and device-bound cryptography.

How do passkeys improve the customer experience?

Passkeys remove the need for entering OTPs or passwords, allowing frictionless login with fingerprints, Face ID, or other biometrics.

Can passkeys reduce operational costs for banks?

Yes, banks save on SMS delivery costs, password-related support tickets, and IT resource allocation.

How do passkeys protect high-value transactions?

They trigger adaptive, step-up authentication for sensitive operations, ensuring only authorized users can execute these transactions.

What is CIAM, and why is it important?

Customer Identity and Access Management (CIAM) secures the entire digital journey, integrating authentication, onboarding, and transaction verification seamlessly.

Why should UAE banks partner with Truoco?

Truoco provides FIDO-certified passkey solutions, CIAM integration, regulatory compliance, and rapid deployment for secure passwordless banking.

Is passkey adoption compliant with international standards?

Yes, Truoco solutions align with FIDO2, WebAuthn, and UAE cybersecurity regulations, ensuring both global and local compliance.