RBI has released final guidelines for digital payment authentication

Current Context: The RBI has issued the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, effective April 1, 2026 for domestic payments and October 1, 2026 for certain cross‑border card‑not‑present transactions.

• All digital payments must follow Two‑Factor Authentication (2FA), with at least one dynamic factor (OTP, biometric, token, etc.) unique to each transaction.
• Factors include something you know (PIN/password), something you have (device/token), and something you are (biometrics).
• Risk‑based authentication is allowed, with issuers applying extra checks for high‑risk transactions (e.g., DigiLocker confirmation, behavioural analysis).
• Exemptions: small‑value contactless card payments, recurring transactions (post‑first), prepaid instruments, FASTag/NETC, small‑value offline payments, and corporate travel bookings.
• Issuers must ensure compliance, promote biometrics, passkeys, device‑based tokens, and compensate customers for losses due to non‑adherence.

Question:

Q.1 As per RBI’s 2025 directions, all digital payment transactions must follow which of the following?
a) Single Factor Authentication (SFA)
b) Two-Factor Authentication (2FA)
c) Triple-Layer Authentication (TLA)
d) Risk-Free Authentication (RFA)

Answer: b) RBI has made Two-Factor Authentication mandatory, with at least one dynamic factor (OTP, biometric, token, etc.) unique to each transaction.