Starting 8 October, users in India will be able to authenticate Unified Payments Interface (UPI) transactions using facial recognition and fingerprints, marking a major shift from the current numeric Pin-based system, according to a Reuters report citing people familiar with the matter.
The authentication process will rely on biometric data stored under Aadhaar, the Government of India’s unique identification system, one of the sources said. The National Payments Corporation of India (NPCI), which operates UPI, is expected to showcase this new biometric feature at the ongoing Global Fintech Festival in Mumbai.
This initiative follows the Reserve Bank of India’s recently introduced framework titled “Authentication Mechanisms for Digital Payment Transactions Directions, 2025.” The framework encourages adoption of new and secure methods of verifying digital payments beyond the traditional SMS-based one-time passwords (OTPs).
The RBI said the framework aims to “encourage introduction of new factors of authentication by leveraging upon technological advancements,” while continuing to allow OTPs as an additional factor of authentication (AFA).
Under the new rules, banks, fintech companies, and payment service providers can introduce alternative methods such as device-based verification, biometric authentication, hardware tokens, or passphrases — either alongside or in place of OTPs.
Currently, nearly all digital payments in India depend on SMS OTPs as the second layer of authentication. While the RBI has not specifically mandated OTPs, the industry has widely adopted them as the standard form of additional security.
The central bank clarified that for digital payment transactions, at least one of the authentication factors must be unique to each transaction to prevent reuse or compromise.
Authentication factors may include “something the user knows” (like a password or PIN), “something the user has” (such as a hardware token or device-based credential), or “something the user is” (like fingerprints or facial recognition).
The new framework applies to all domestic digital payment transactions conducted by banks, card issuers, fintech firms, and other payment system participants. |
