Several of the UAE’s largest banks are preparing to discontinue the use of text-message one-time passwords for online card transactions, replacing the system entirely with app-based verification starting next week, according to customer notifications reviewed by local media.
Messages circulated to account holders on December 31 informed customers that approvals for online card purchases will soon be handled only through banks’ mobile applications. The alerts specified that from January 6, 2026, SMS-delivered OTPs will no longer be issued, with users required to confirm payments through their bank’s official app.
“From January 6, 2026, we will stop sending one-time passwords (OTPs) via SMS for online card purchases,” the messages stated. Customers were advised to ensure that their mobile banking applications are downloaded, activated, and ready for use ahead of the change.
Reports by Gulf News and Emarat Al Youm noted that the shift is part of a broader transition that has been unfolding across the banking sector since mid-2025. In July, banks began reducing reliance on OTPs sent via SMS or email for digital transactions and fund transfers, gradually replacing them with in-app authentication.
At the time, an official circular referencing guidance from the Central Bank of the UAE outlined plans to phase out OTP delivery through traditional messaging channels. The document encouraged customers to complete electronic transactions using mobile applications equipped with built-in approval tools.
By October 2025, several banks had already moved fully to app-only authorisation, requiring customers to approve payments through actions such as tapping or swiping within their banking apps. The approach centralises transaction approvals within secured platforms rather than external messaging systems.
Banking sources had previously said the sector-wide rollout was targeted for completion by the end of 2025. While some banks initially considered allowing customers to retain SMS OTPs upon written request, this option involved transferring fraud-related liability away from the bank and onto the customer.
