India's Biometric Payment Rules to Revolutionize Security

Published Date : 9/30/2025 

The Reserve Bank of India (RBI) has updated its guidelines on digital payment authentication, introducing risk analysis and multi-factor authentication (MFA) requirements. Biometric providers are ready to meet these new standards, ensuring enhanced security and convenience for users. 

The Reserve Bank of India (RBI) has issued new guidelines on the authentication mechanisms for digital payment transactions, bringing significant changes to the landscape of financial security in the country. According to the new direction published on Thursday, financial institutions and payment networks can now incorporate risk analysis into their two-factor authentication (2FA) processes for digital payments.

The guidelines, titled “Authentication Mechanisms for Digital Payment Transactions,” clarify that the two factors used for 2FA should not be from the same type of authentication. Instead, they must consist of two different factors from the categories of knowledge, possession, and inherence. Both Aadhaar biometrics, stored by the central government, and native device biometrics are accepted for inherence factors.

For remote or card-not-present (CNP) transactions, one of the factors must be dynamic, such as an OTP or biometric, to ensure heightened security. These requirements will take effect on April 1, 2026.

The RBI has been steadily moving towards multi-factor authentication (MFA) with at least one dynamic factor for digital payments over the past few years. This shift is complemented by modernized methods of biometric KYC checks to facilitate easier customer onboarding. For CNP transactions that are carried out across borders and are not recurring, the card issuer will need to register its Bank Identification Number with card networks by October 1, 2026.

Despite concerns raised by the National Institute of Standards and Technology (NIST) regarding the security of one-time passwords (OTPs) over SMS, the RBI has not advised banks to discontinue this practice. However, the new guidelines emphasize the importance of dynamic and robust authentication methods to enhance overall security.

India-based startup Proxgy has launched a biometric point-of-sale (POS) device, ThumbPay, which supports payment authentication through Aadhaar and UPI, even for customers without smartphones. Priced at less than 2,000 rupees (approximately US$22.50), the ThumbPay device verifies the customer’s thumbprint biometrics against the Aadhaar Enabled Payment System (AEPS). The device includes built-in fraud detection and options for payments through QR codes and NFC, although these are not mandatory.

Idex Biometrics has been positioning itself for the Indian market since expanding into the country last year. Anders Storbråten, CEO of Idex Biometrics, commented, “The RBI’s approval of biometric authentication represents a transformational moment for digital payment security in India. Idex has been strategically positioned for this regulatory shift, having successfully conducted pilot testing with Indian payment partners. Our technology meets the exact security and privacy requirements outlined in the new guidelines.”

Next Biometrics, through its Mumbai-based partner Evolute Fintech Innovations, has received Aadhaar L1 certification for its POS devices, ensuring compliance with the new biometric authentication standards. There are approximately 4.5 million devices certified to “L0” in India that will need to be upgraded, presenting a significant market opportunity.

The certification marks the next phase in a multi-year commercial partnership established in 2023, which is expected to generate revenues of between 14 and 28 million Norwegian kroner (US$1.4 million to $2.8 million) for Next Biometrics. Parag Mehta, CEO of Evolute, stated, “By integrating Next’s advanced biometric sensors with Evolute’s proven engineering prowess, and achieving L1 certification, we are setting a new benchmark of trust for secure and inclusive citizen services. This collaboration reflects how Evolute’s deep product engineering expertise, combined with Next’s technological rigor, creates a formidable partnership capable of accelerating innovation for India and the world at scale.”

These developments highlight the ongoing efforts to enhance digital payment security in India, with biometric authentication playing a crucial role in achieving this goal. The new guidelines and innovations from companies like Proxgy, Idex Biometrics, and Next Biometrics are set to transform the digital payment landscape, making transactions more secure and convenient for users. 

Frequently Asked Questions (FAQS): 

Q: What are the new guidelines for digital payment authentication in India?

A: The Reserve Bank of India (RBI) has updated its guidelines to include risk analysis and multi-factor authentication (MFA) for digital payments. The two factors must be from different categories: knowledge, possession, and inherence. For remote transactions, one factor must be dynamic, such as an OTP or biometric.

Q: When will these new guidelines take effect?

A: The new guidelines will take effect on April 1, 2026.

Q: What is ThumbPay, and how does it work?

A: ThumbPay is a biometric point-of-sale (POS) device launched by Proxgy. It supports payment authentication through Aadhaar and UPI, even for customers without smartphones. It verifies the customer’s thumbprint biometrics against the Aadhaar Enabled Payment System (AEPS) and includes built-in fraud detection.

Q: Why is biometric authentication important for digital payments?

A: Biometric authentication enhances security and convenience in digital payments. It provides a robust method for verifying user identity, reducing the risk of fraud and improving the overall user experience.

Q: What is the significance of Aadhaar L1 certification for POS devices?

A: Aadhaar L1 certification ensures that POS devices meet the security and privacy standards required for biometric authentication. It is a crucial step for companies like Next Biometrics and Evolute to comply with the new RBI guidelines and operate in the Indian market. 

More Related Topics :