Table of Contents
- Why UAE Banks Are Dropping SMS OTP
- What Actually Changes for You as a Customer
- What Actually Happens: Approving a Payment In-App
- The New Authentication Methods Explained
- Key Dates and Which Banks Have Moved
- No Smartphone, Travelling, or Changed Your Number? What to Do
- How This Kills Common OTP Scams
- Your Readiness Checklist
- FAQ
- Official Sources

A plain-language guide for UAE bank customers on why SMS and email one-time passwords are being switched off, what in-app approval looks like in practice, what to do if you travel, change your number, or lose your phone, and how the change shuts down the most common OTP scams.
UAE banks are switching off the SMS and email one-time password. Under the Central Bank of the UAE’s consumer-protection framework, licensed banks must stop using SMS and email OTPs as a standalone way to approve online transactions and move customers to in-app authentication, with the transition running through a phased timeline that reaches full discontinuation by 31 March 2026. In practice that means the six-digit code you used to receive by text is being replaced by a push notification inside your bank’s app, which you approve with your fingerprint, Face ID, or a PIN. Several major lenders began the shift for online card payments from 6 January 2026.
This guide explains what is actually changing for you as a customer, walks through exactly what an in-app approval looks like on screen, and answers the practical questions the announcements skipped: what happens if you do not use a smartphone, if you are travelling on a foreign SIM, if you change your number, or if you lose your device. It also covers the security logic behind the change and how it removes the single weakness that most UAE banking scams rely on. Bank-specific details differ, so confirm your own bank’s method in its app before the SMS channel goes dark.
Why UAE Banks Are Dropping SMS OTP
The change is driven by the regulator, not by individual banks acting alone. The Central Bank of the UAE oversees how licensed banks protect customers through its Consumer Protection Regulation and the accompanying Consumer Protection Standards, which place the burden of secure authentication and fraud prevention on the institution. A 2025 Central Bank directive, widely reported as Notice 2025/3057, instructed banks and payment service providers to phase out SMS and email OTPs as a primary authentication method and adopt stronger alternatives.
The reason is simple: the text-message OTP is the weakest link in modern banking security. A code sent by SMS can be intercepted through SIM-swap fraud, redirected through mobile-network weaknesses, or, most commonly, socially engineered out of the customer by a scammer posing as the bank. UAE police and banks have repeatedly warned that fraudsters trick people into reading out the code that lands on their phone, because that single number is often all that stands between the criminal and the account. Moving approval inside an authenticated app, tied to a specific device and protected by biometrics, closes that gap. The regulator’s framework also pushes banks toward real-time fraud monitoring and device and behavior checks, so the app approval is only one layer of a wider defense.
What Actually Changes for You as a Customer
For most people, the day-to-day change is small but noticeable: the code stops arriving by text, and approval happens inside the bank app instead. When you shop online, transfer money, add a payee, or log in, you no longer wait for an SMS and type six digits into a web form. Instead your phone shows a push notification from your banking app, you open it, check the transaction details, and confirm with a fingerprint, Face ID, or a security PIN.
The practical upside is real for anyone who has ever missed a code. App approval does not depend on your mobile carrier’s signal or on SMS delivery, only on an internet connection, so it works on Wi-Fi and does not fail when texts are delayed. That matters most when you are abroad. As banks have noted, SMS OTPs often fail on roaming or foreign SIMs, while app-based approval works over any internet connection without a local mobile network. If you are new to UAE banking, it is worth understanding this before you open a bank account in Dubai, because setting up the app and biometrics is now part of account activation rather than an optional extra.
What Actually Happens: Approving a Payment In-App
Here is what the new flow looks like on screen, using an online card purchase as the example. You enter your card details on a merchant site and confirm the payment as usual. Within a second or two, a push notification appears on your phone from your bank’s app, replacing the old text message. You tap it, and the app opens directly on an approval screen.
That screen shows the transaction details you need to check before you commit: the exact amount, the merchant or recipient name, and often the purpose or card used. You then approve or decline. Approval is confirmed with your fingerprint or Face ID, or by entering your app security PIN if biometrics are switched off. If you decline, the transaction is stopped on the spot. Some banks package this as a soft token or “smart” security feature that lives in the app: Emirates NBD, for example, runs it through its Smart Pass feature in the mobile banking app, where you swipe the notification, enter the Smart Pass PIN or use biometrics, review the details, and tap approve. The key difference from the old model is that you are approving a specific, described transaction inside a secured app, not typing a naked code that could be read out to anyone.
| Feature | SMS / email OTP (old) | App-based 2FA (new) |
|---|---|---|
| How you approve | Type a 6-digit code into a web form | Tap approve in the app with fingerprint, Face ID, or PIN |
| What you see before approving | Usually just the code, little transaction detail | Amount, recipient or merchant, and purpose |
| Needs mobile signal | Yes, SMS can fail on roaming or foreign SIM | No, works on any internet connection |
| Can be socially engineered | Yes, a scammer can ask you to read out the code | Much harder, nothing to read out or forward |
| Tied to your device | No, code works wherever it is entered | Yes, bound to your registered phone |
The New Authentication Methods Explained
The Central Bank did not mandate a single technology; it required banks to move to methods that are harder to intercept than a text message. In practice UAE banks are using a mix of the following, and you may encounter more than one depending on the transaction and your bank.
- In-app push approval: A notification appears in your bank app asking you to approve or decline a described transaction. This is the most common replacement for the SMS code.
- Biometric confirmation: Fingerprint or facial recognition already built into your phone, used to sign off the approval. Nothing is transmitted that a fraudster could reuse.
- Software or “smart” tokens: A secure PIN-protected token generated inside the app, such as the smart pass style feature several banks use, which authorizes transactions without any SMS.
- Passkeys and device-bound credentials: Some banks are rolling out passwordless, cryptographic sign-in tied to your specific device, which cannot be phished in the way a code can.
The common thread is that approval is anchored to a device you control and a biometric or PIN only you can provide. That is why the regulator treats these as stronger than a code that anyone holding your phone, or anyone who tricks you into speaking it aloud, can use. If you are choosing where to bank, app security maturity is now a genuine differentiator worth weighing alongside the usual factors when you compare the best bank accounts for UAE expats.
Decision point: do you rely on a smartphone for banking?
If yes, the move is mostly seamless. Install your bank’s latest app, enable biometric login, and switch on app-based authorization in the security settings before your bank turns off SMS. Do this now rather than at the checkout of an urgent payment.
If no, or you share a basic phone, do not wait for the SMS channel to disappear. Contact your bank directly to ask what alternative it offers, such as a hardware token, a phone-banking approval route, or in-branch authorization. Banks must still serve customers who cannot use an app, but the fallback varies by institution, so confirm yours in advance.
Key Dates and Which Banks Have Moved
The transition has been phased rather than a single overnight switch. Reporting indicates the wind-down of SMS and email OTPs began in mid-2025, several major banks stopped using SMS OTP for online card payments from 6 January 2026, and the Central Bank’s framework points to full discontinuation of SMS and email OTP as a standalone method by 31 March 2026. Because the exact cut-off date differs by bank and by transaction type, treat any single date as indicative and rely on the notice your own bank sends you.
On banks, keep expectations grounded in what each institution has actually announced. Emirates NBD has publicly confirmed it is replacing SMS OTPs with authentication through its app, using its smart pass and biometric approval. Several other major UAE banks have been reported to be rolling out equivalent app-based or “smart OTP” features on similar timelines. Rather than assume your bank has already switched, open your banking app, look in the security or authentication settings for an app-approval or smart-token option, and enable it. If your bank’s app goes down at a critical moment, know your rights and options during a bank app outage, because app approval makes the app itself more central to everyday access.
No Smartphone, Travelling, or Changed Your Number? What to Do
The announcements focused on the smooth case: a customer with an up-to-date app and biometrics enabled. Real life is messier. The table below sets out the common problem scenarios and the practical response for each. In every case the underlying rule is the same: your bank must give you a working way to authenticate, so if the default app route does not fit your situation, the answer is to contact the bank rather than to go without.
| Your situation | What to do |
|---|---|
| You do not use a smartphone | Ask your bank about non-app options such as a hardware token, phone-banking approval, or in-branch authorization. Confirm before SMS is switched off. |
| You are travelling on a foreign SIM or roaming | This is where app approval helps most. It needs only internet, not a local signal, so connect to Wi-Fi or mobile data and approve in the app as normal. |
| You changed your UAE mobile number | Update your registered number with the bank promptly. App approval is tied to your device and login, but keeping contact details current avoids re-verification and security holds. |
| You lost your phone or got a new device | Re-register the app on the new device, which usually requires re-verifying your identity. Report the lost device to the bank so app access on it can be revoked. |
| Your phone has no internet at the moment | Connect to any Wi-Fi or data to receive the approval prompt. Unlike SMS, the request will be waiting in the app once you are online. |
Two situations deserve extra care. First, changing your device or number is exactly the moment when a bank may apply a temporary security hold, so allow time and expect an identity check. Second, if your account is already restricted, resolve that first, because authentication changes will not lift an unrelated freeze; see our guide on why UAE bank accounts get frozen and how to unfreeze them. Keeping your records current also feeds into ongoing KYC and compliance checks, which banks run alongside these security upgrades.
How This Kills Common OTP Scams
The strongest argument for the change is what it does to fraud. The classic UAE scam works like this: a caller poses as your bank, a delivery company, or a government service, creates urgency, and asks you to share the code that just arrived on your phone. UAE police and banks have warned repeatedly that no legitimate bank or authority will ever ask for your OTP. The whole scam depends on there being a code that can be spoken aloud, forwarded, or typed into a fake page.
App-based approval removes that code. There is nothing to read out, because you approve a specific transaction inside your own secured app using your fingerprint or PIN. A scammer cannot complete a payment just by talking you through it on the phone, and a fake checkout page cannot harvest a code that no longer exists. It does not make you invincible: you should still refuse to approve any in-app prompt for a transaction you did not start, and never approve a payment because someone on a call tells you to. For the wider picture of how these frauds are evolving, see our breakdown of common UAE scams and how to report them. If you do fall victim, report it through the UAE’s official cybercrime reporting channels and contact your bank immediately.
Your Readiness Checklist
A few minutes of setup now prevents a blocked payment later. Work through the following before your bank switches off SMS OTP for your account.
- Update your bank’s mobile app to the latest version from the official app store.
- Enable biometric login, fingerprint or Face ID, on the device you actually carry.
- Turn on app-based authorization or the smart-token feature in the app’s security settings.
- Confirm your registered mobile number and email are current with the bank.
- Allow push notifications for the banking app so approval prompts arrive instantly.
- If you do not use a smartphone, contact your bank now to arrange an alternative method.
- Keep a note of your bank’s official helpline for lost devices and urgent approvals.
Once this is in place, everyday banking continues much as before, including when you send money from the UAE, except the approval step is faster, works abroad, and is far harder for a fraudster to hijack.
FAQ
Why are UAE banks stopping SMS OTP?
Because the text-message code is the easiest part of banking security to attack. It can be intercepted through SIM-swap fraud or, more often, socially engineered out of the customer by a scammer. Under the Central Bank of the UAE’s consumer-protection framework, banks must move to stronger in-app authentication such as push approvals and biometrics, with SMS and email OTP phased out as a standalone method.
When exactly is SMS OTP being switched off?
The transition is phased. Several major banks stopped using SMS OTP for online card payments from 6 January 2026, and the Central Bank’s framework points to full discontinuation of SMS and email OTP as a standalone method by 31 March 2026. The exact date depends on your bank and transaction type, so rely on the notice your own bank sends you.
What replaces the SMS code?
An in-app approval. When you make a payment or transfer, a push notification appears in your bank’s app showing the amount, recipient, and purpose. You approve or decline and confirm with your fingerprint, Face ID, or a security PIN. Some banks package this as a soft token or smart-pass feature inside the app.
How do I approve a payment without an OTP?
Open the push notification from your bank app, review the transaction details on the approval screen, and tap approve, then confirm with biometrics or your app PIN. If you did not start the transaction, decline it. Nothing needs to be typed into a website or read out to anyone.
What if I do not have a smartphone?
Contact your bank before SMS is switched off to ask what alternative it offers, such as a hardware token, phone-banking approval, or in-branch authorization. Banks must still serve customers who cannot use an app, but the fallback varies by institution, so confirm your bank’s option in advance.
Will app-based approval work when I am travelling abroad?
Yes, and it usually works better than SMS. App approval needs only an internet connection, not a local mobile signal, so it does not fail on roaming or a foreign SIM the way texts often do. Connect to Wi-Fi or mobile data and approve in the app as normal.
What happens if I change my phone number?
Update your registered number with the bank promptly. App-based approval is tied to your device and login rather than to the SMS channel, so a number change should not block approvals, but keeping your contact details current avoids re-verification and security holds.
What do I do if I lose my phone?
Report the lost device to your bank immediately so app access on it can be revoked, then re-register the app on your new device. Re-registration usually requires re-verifying your identity, so allow time and expect a security check.
Does this change make my account scam-proof?
No, but it removes the weakness most UAE banking scams rely on. There is no longer a code you can be tricked into sharing, which shuts down the classic OTP phone scam. You must still refuse to approve any in-app prompt for a transaction you did not start, and never approve a payment because a caller tells you to.
Is the switch mandatory or can I keep using SMS OTP?
It is mandatory. The move is driven by the Central Bank of the UAE, not by individual banks, and SMS and email OTP are being retired as a standalone authentication method sector-wide. You cannot opt to keep receiving codes by text once your bank completes the switch, so set up app-based approval in advance.
Official Sources
- Central Bank of the UAE — Consumer Protection
- CBUAE Rulebook — Consumer Protection Regulation (Circular No. 8 of 2020)
- CBUAE Rulebook — Consumer Protection Standards
- UAE Government Portal — Cyber Safety and Digital Security
- UAE Government Portal — Report Cybercrimes Online
- Emirates NBD — Using Smart Pass (app-based authorization)
This guide is for informational purposes only and reflects rules and bank practices current as of July 2026. Authentication methods, cut-off dates, and procedures differ by bank and are subject to change. Always confirm the current requirements and available options directly with your own bank, and follow the official notices it sends you before the SMS OTP channel is switched off.
Table of Contents
- Why UAE Banks Are Dropping SMS OTP
- What Actually Changes for You as a Customer
- What Actually Happens: Approving a Payment In-App
- The New Authentication Methods Explained
- Key Dates and Which Banks Have Moved
- No Smartphone, Travelling, or Changed Your Number? What to Do
- How This Kills Common OTP Scams
- Your Readiness Checklist
- FAQ
- Official Sources
About the authors
Omar Al Nasser is a Senior Content Creator & Analyst at UAE Experts HUB, specializing in Dubai real estate registration, title deeds, and official government procedures.

Head of Legal & Compliance Department

Author & Editor

Head of Legal & Compliance Department

Author & Editor





