Security

HID enables Indian banks to meet RBI authentication mandate with FIDO-based MFA solutions

HID has announced its readiness to support Indian banks and payment service providers in meeting the Reserve Bank of India’s (RBI) new authentication requirements for digital payment transactions. The RBI’s Authentication Mechanisms for Digital Payment Transactions Directions, 2025 (RBI/2025-26/79), effective April 1, 2026, mandates stronger multi-factor authentication (MFA) and signals a decisive move away from legacy methods such as password-plus-SMS OTP.

India’s digital payments ecosystem has grown exponentially, with Unified Payments Interface (UPI) processing billions of transactions monthly. However, the proliferation of phishing attacks, SIM-swapping fraud and social engineering schemes has exposed the vulnerabilities of SMS-based one-time passwords. Recognising these risks, the RBI issued its comprehensive directions under Section 18 of the Payment and Settlement Systems Act, 2007, requiring all payment system providers and participants -including banks, non-bank entities, and fintech platforms -to adopt robust, dynamic and interoperable authentication mechanisms.

The new framework requires at least two independent factors of authentication for digital payment transactions, with at least one factor being dynamic in nature. Critically, it encourages the adoption of advanced technologies beyond traditional OTPs, including device-bound credentials and biometric verification. The directions also introduce a risk-based approach, empowering issuers to apply enhanced authentication for higher-risk transactions based on behavioural and contextual parameters.

HID’s authentication solutions, built on Fast Identity Online (FIDO) standards, are purpose-designed to address these regulatory requirements. By leveraging public key cryptography and device-bound passkeys, HID eliminates the shared secrets - such as passwords and OTPs - that attackers routinely exploit. Authentication is performed using a combination of device possession (“something the user has”) and biometrics or a PIN (“something the user is or knows”), delivering phishing-resistant security without compromising user experience.

HID’s authentication solutions, built on FIDO standards, enable banks to move beyond the vulnerabilities of OTP-based security by anchoring each transaction to the customer’s own device through public key cryptography. Rather than relying on shared secrets that can be intercepted or reused, HID’s approach ties authentication to device-bound passkeys, combining proof of possession with biometric or PIN verification for a seamless login experience. The result is a significant reduction in phishing and fraud risk, paired with a faster, more intuitive banking experience for customers.

Edwardcher Monreal, Principal Solutions Architect/Spokesperson at HID, said: “The RBI’s updated directions are a landmark step for India’s digital payments security. By moving beyond SMS OTPs and embracing standards-based authentication, India is aligning with global best practices. HID’s FIDO-based solutions give banks and payment providers a clear, proven path to compliance - one that not only meets the April 2026 deadline but also strengthens defenses against the evolving threat landscape.”

Key advantages of HID’s approach include:

Phishing-resistant authentication: FIDO-based passkeys are bound to the user’s device and cannot be intercepted, replayed or phished - addressing the primary attack vectors targeting SMS OTPs.

Standards-based interoperability: Solutions built on open FIDO standards work seamlessly across applications, operating systems and devices, avoiding vendor lock-in and supporting the RBI’s interoperability principles.

Risk-based and adaptive security: HID’s platform supports dynamic, context-aware authentication that aligns with the RBI’s risk-based framework, enabling financial institutions to apply proportionate security measures.

Seamless user experience: By replacing cumbersome OTP workflows with biometric or PIN-based verification on the user’s own device, HID improves transaction speed and customer satisfaction.

The shift towards phishing-resistant authentication reflects a broader global trend. Regulatory bodies and industry alliances worldwide are recognising that shared-secret authentication models -where credentials can be intercepted or replicated - are no longer adequate for securing high-value digital transactions. India’s move aligns with similar initiatives in the European Union, Singapore, and Australia, positioning the country’s financial sector at the forefront of authentication security in the Asia-Pacific region. HID’s passkey and passwordless authentication solutions are available immediately, enabling banks and payment service providers to begin implementation. HID works closely with financial institutions across the region to ensure seamless deployment and integration with existing banking infrastructure.