UAE: No more OTPs? 7 new ways banks may authenticate users, fight scams

One-time passwords or OTPs are now outdated in the face of the dramatic rise in sophisticated banking frauds, a Dubai-based cybersecurity expert told Khaleej Times, following news that UAE banks will gradually stop sending one-time passwords (OTPs) via SMS and email for digital transactions starting July 25.

Instead of OTPs, banks will shift to authentication via mobile banking apps, using in-app confirmation features. Cybersecurity expert Rayad Kamal Ayub praised UAE banks and regulators for “adopting groundbreaking authentication technologies to secure transactions, safeguard customer identities, and provide frictionless user experiences".

Recommended For You

Cambodia says Thailand still bombing hours after President Trump truce call

Look: UAE kids become storytellers, exhibit Emirati culture at RAK event

Abu Dhabi Marathon draws 37,000 participants, winners bag over Dh1 million in prizes

Redefining premium electronics experiences in the UAE

UAE banks power ahead in Q3, outpacing regional peers

 

“The Central Bank of the UAE has taken decisive steps since 2024, spurred by persistent calls from industry leaders and media like Khaleej Times, to overhaul traditional authentication methods — especially OTPs — which have proven vulnerable to modern hacking techniques,” he added.

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

Rayad, who is also managing director of UAE-based Rayad Group, also shared emerging authentication technologies, and how each type encounters fraud risks and redefines customer trust in the UAE banking sector.

1. Passkeys & FIDO2 authentication

“The era of easily compromised passwords is drawing to a close”, noted Rayad. Passkeys, built on the FIDO2 (Fast IDentity Online 2) standards, enable password-less authentication by leveraging cryptographic keys stored directly on a user’s device. When combined with biometric sensors — like face ID, touch ID, or Android’s equivalent — passkeys offer a seamless, one-touch login experience.

Key features:

- Passwordless, leveraging asymmetric cryptography for security

- Biometric integration (facial recognition, fingerprints) for effortless access

- Resistant to phishing attacks, SIM swaps, and credential stuffing that are frequently used by scammers

Rayad said UAE banks are piloting passkey-based logins to replace or augment OTPs, drastically reducing the risk of interception or duplication. “Because of this, customers benefit from smoother, faster access to services, while institutions see a drop in account takeover attempts.

2. Decentralised Identity (DID)

Traditional identity systems often rely on central databases, making them lucrative targets for cybercriminals. Decentralised Identity (DID) puts control back in the hands of users through cryptographically verifiable credentials stored on personal devices or digital wallets.

Key features:

- User-controlled digital identity, minimising reliance on central authorities

- Secure onboarding and KYC (Know Your Customer) processes without exposing data to a single point of failure

- Backed by global initiatives such as the EU Digital Identity Wallet, which influence regulatory direction in the UAE

Rayad noted DID not only enhances privacy but also boosts resistance to large-scale data breaches. Several banks and fintech startups abroad are exploring DID frameworks, enabling customers to share only necessary fragments of their identity for transactions or onboarding.

3. Behavioural biometrics

This works unlike traditional biometrics that use fingerprint and facial recognition. Behavioural biometrics authenticate users based on how they interact with their devices — such as typing rhythm, swipe patterns, mouse movements, and device handling. This continuous, invisible layer of authentication operates in the background, constantly monitoring unusual behaviour.

Key features:

- Continuous authentication — no need for repeated logins

- Detects subtle deviations from a user’s normal behavior, flagging potential fraud instantly

- Non-intrusive, preserving the seamless user experience

Some banks are integrating behavioural biometrics into their mobile apps and online banking portals. Technology can detect when an account is being accessed by someone other than the legitimate user, even if the correct credentials are provided, offering an early warning against fraud, explained Rayad.

4. Post-quantum cryptography (PQC)

Rapid advances in quantum computing threaten to render existing cryptographic algorithms obsolete. PQC proactively arms banks against this looming risk by employing new algorithms designed to withstand quantum attacks.

Key features:

- Uses quantum-resistant algorithms for data protection and authentication

- Recommended by leading authorities such as NIST (National Institute of Standards and Technology)

- Ensures future proofing of banking systems as quantum capabilities mature

Forward-thinking UAE banks are beginning to test PQC solutions, especially for securing high-value transactions, internal communications, and sensitive customer data. Early adoption ensures readiness for the quantum era and demonstrates industry leadership in digital security.

5. Hardware authenticators

There are physical security keys, such as YubiKeys, that provide an extra layer of defence by requiring users to possess a tangible device for authentication. Unlike SMS codes or app-based OTPs, hardware authenticators are immune to malware, phishing, and remote access threats.

Key features:

- Possession-based multi-factor authentication (MFA)

- No reliance on mobile networks or internet connectivity for validation

- Highly secure against malware-infected devices, phishing, and unauthorised remote access

Rayad said wealthy individuals and corporate clients are adopting hardware authenticators to safeguard access to sensitive accounts. Some banks now offer security key support for executive and VIP accounts, acknowledging the growing sophistication of targeted attacks.

6. AI-powered deepfake detection

As facial and voice authentication gain popularity, so do threats from deepfakes—artificially generated images, videos, or audio designed to impersonate legitimate users. AI-driven deepfake detection tools analyse nuanced characteristics, such as liveness, temperature, and micro-expressions, to distinguish between real and forged identities.

Key features:

- Liveness detection using AI to confirm presence of a real human

- Infrared scanning and micro-expression analysis for enhanced accuracy

- Protection against spoofing attacks targeting facial and voice biometrics

banks are already implementing liveness tests and deepfake detection on their mobile apps and at ATMs. These measures ensure that innovative authentication methods remain robust against emerging threats and reassure customers about the safety of biometric logins.

7. Cloud-based identity platforms

Managing authentication infrastructure in-house is costly and complex. Cloud-based identity platforms—often delivered as Identity-as-a-Service (IDaaS)—allow banks to deploy advanced authentication solutions that scale with demand while staying compliant with evolving regulations.

Key features:

- Centralised identity management for all digital channels

- Scalable and cost-effective compared to traditional on-premises solutions

Rayad observed some UAE banks are migrating to cloud identity platforms to streamline onboarding, authentication, and authorisation across mobile, web, and branch channels. This not only enhances security but also delivers a unified, frictionless customer experience.

More secure digital banking future

Rayad reiterated as fraudsters evolve, so must the technology that protects the financial ecosystem. By moving beyond vulnerable legacy systems like OTPs and embracing tools such as passkeys, decentralised identities, behavioural biometrics, post-quantum cryptography, hardware authenticators, AI-powered deepfake detection, and cloud-based identity platforms, UAE banks are building resilient defenses against fraud while unlocking seamless, user-friendly digital experiences.

“The UAE's commitment to innovation not only safeguards customers but also strengthens the country's reputation as a global leader in digital finance. The rapid pace of adoption today points toward a future where security, convenience, and privacy coexist — delivering banking experiences that are as secure as they are effortless,” he concluded.

Angel Tesorero

angel@khaleejtimes.com

Angel Tesorero is Assistant Editor and designated funny guy in the newsroom, but dead serious about writing on transport, labour migration, and environmental issues. He is a food lover too.