Your UPI App Now Needs Two Proofs Before Every Payment — Here's Exactly What Changed After April 1
If you opened PhonePe, Google Pay, or Paytm on April 1, 2026 and noticed your payment felt slightly different — you were not imagining it. A sweeping regulatory change from the Reserve Bank of India (RBI) officially came into effect that day, fundamentally altering how every UPI transaction in India gets verified. The change is being called the most significant overhaul of India’s digital payment security architecture since UPI was launched in 2016. And yet, most users have received little to no explanation about what actually changed, why it happened, and what it means for their daily transactions.
This post breaks it all down in plain language — no jargon, no confusion, just a clear and thorough walkthrough of the new rules, who they affect, and how you should respond.
The Old System and Why It Failed
For nearly a decade, the backbone of UPI security was a single four to six digit PIN. You’d scan a QR code, enter your UPI PIN, and the transaction was done. Simple, fast, and reasonably effective — until it wasn’t.
Cybercriminals got smarter. The methods they used to steal money did not require breaking into bank servers. They targeted the weakest link: the user’s phone and their SMS inbox. Four specific attack types made the old single-factor system dangerously inadequate.
Phishing attacks involved fraudsters creating fake bank websites or sending SMS messages mimicking legitimate notifications to trick users into sharing their OTPs in real time. SIM swap scams were even more insidious — criminals would convince a mobile operator to transfer a victim’s registered phone number to a new SIM card under their control, after which every OTP sent to that number landed in the attacker’s hands. Malware and spyware installed on Android phones could silently read incoming SMS messages and forward OTPs to remote attackers without the victim ever knowing. And social engineering, where callers impersonate bank officers and pressure users into “confirming” their OTP over the phone, remained one of the most effective and widespread fraud techniques in India.
Taken together, these vulnerabilities meant that anyone who obtained your UPI PIN — through shoulder surfing, phishing, or device theft — could drain your linked bank account with nothing stopping them. The RBI’s data on rising digital fraud cases made the need for a structural fix impossible to ignore.
What the New Rule Actually Says
Under the RBI’s Authentication Mechanisms for Digital Payment Transactions Directions, 2025, all entities involved in the digital payment chain are now required to implement mandatory Two-Factor Authentication (2FA) for every digital payment transaction in India.
The core requirement has two parts. First, every transaction must be verified using at least two independent authentication factors. Second — and this is the crucial detail — at least one of those two factors must be dynamic, meaning it is freshly generated for that specific transaction and expires almost immediately. A static password or a saved credential alone no longer qualifies as sufficient proof of identity.
In practical terms, this means your UPI PIN by itself is no longer enough. The PIN, which is something you know, must now be combined with a second factor. That second factor could be something you are (biometric — fingerprint or face scan), something you have (your specific trusted device, verified through cryptographic device binding), or something freshly generated (an in-app token or push notification unique to that single transaction).
The mandate applies not just to UPI, but to all digital payment channels — credit cards, debit cards, and mobile wallets (also known as Prepaid Payment Instruments or PPIs) as well.
What “Two Proofs” Looks Like in Practice
The phrase “two proofs” essentially means two distinct verifications that confirm you are who you say you are. Here is how that plays out across the apps you use every day.
For UPI payments on apps like PhonePe, Google Pay, and Paytm, the combination is typically your device binding (Factor 1) and your UPI PIN or biometric (Factor 2). Device binding means your UPI app is cryptographically tied to your specific smartphone. When you initiate a payment, your phone itself silently proves its identity to the payment network before you even enter your PIN. This combination means that even if someone knows your PIN, they cannot use it from a different device.
For many users on trusted devices making routine payments, this background device verification is invisible. The two-factor check happens automatically and the experience feels similar to before. The friction becomes noticeable when you are transacting from a new phone, a new app install, or from an unusual location — in these scenarios, additional explicit verification steps will be triggered.
The approved second-factor options under the RBI framework include biometric verification such as fingerprint scans and face recognition done locally on the device, device binding and cryptographic passkeys, in-app push notification tokens that are unique per transaction and expire within seconds, hardware tokens for high-value corporate use, and behavioural analysis systems that silently verify patterns like your typing speed and usage habits. Traditional SMS OTPs are not eliminated, but they can no longer serve as the only method of verification — they must be paired with a second, independent factor.
Why This Is Smarter Than Just Adding Another OTP
A common misunderstanding is that the new rule simply means “two OTPs.” That is not what has changed. If the system required two OTPs, it would still be vulnerable to SIM swap attacks because both OTPs travel through the same compromised phone number. The RBI specifically designed the framework so that the two factors must be independent — meaning if one is compromised, the other must rely on a completely different channel or technology.
This is the concept of multi-layer security. Device binding, for example, is rooted in hardware-level cryptography and cannot be cloned the way a phone number can be transferred. Biometrics are biologically unique and cannot be phished over a phone call. By requiring that at least one factor be dynamic and both factors be independent, the new framework cuts off the most common fraud pathways simultaneously.
Risk-based Authentication (RBA) adds another layer of intelligence to this system. Rather than applying the same level of friction to every transaction — which would slow down a ₹50 chai payment the same way as a ₹50,000 transfer — RBA calibrates security checks based on the risk profile of each specific transaction.
How Risk Profiling Works for Your Payments
Under risk-based authentication, transactions are assessed in real time and classified into risk categories that determine how much additional verification is required.
Low-risk transactions — small-value payments from a recognised device, to a familiar merchant, at a consistent geographic location, within your normal spending pattern — are processed with minimal visible friction. The security layers are active in the background, but you may not notice them at all.
High-risk transactions — those initiated from a new or unrecognised device, from an unusual location, to an unfamiliar merchant, or involving a significantly higher amount than your norm — will trigger explicit additional verification steps. You may be asked to authenticate via biometric, confirm a push notification, or complete an in-app approval before the payment goes through.
This means most of your day-to-day payments — paying for groceries, splitting a bill, recharging your mobile — will remain fast and largely unchanged. The extra steps are reserved for situations that genuinely carry higher risk.
NPCI’s Operational Changes: What Else Changed on April 1
Alongside the RBI’s authentication rules, the National Payments Corporation of India (NPCI) introduced several operational updates that directly affect how UPI apps function. These changes are designed to manage the enormous load on the UPI network and improve system stability.
You can now perform a maximum of 50 balance check queries per UPI app per day, preventing the kind of excessive automated polling that degrades system performance. A maximum of 25 bank accounts can be linked to a single UPI app in a day. For payments that are stuck in a pending state, you can only check the transaction status up to three times, with a mandatory 90-second wait between each attempt.
Recurring payments — including EMI debits, subscription charges, and utility auto-debits — will now be processed during off-peak hours, specifically before 10 AM or after 9:30 PM, to reduce network congestion during busy transaction windows.
UPI services linked to mobile numbers that have been inactive for more than 90 days may be deactivated by NPCI to prevent ghost accounts from being exploited by fraudsters. If your registered mobile number has changed or you have not used UPI in a while, it is worth checking that your number and bank account details are still active and updated.
NPCI is also working on capping any single third-party UPI app at 30% of total transaction volume, a measure intended to prevent monopolisation and encourage competition in the payments ecosystem. The compliance deadline for this cap has been extended to December 31, 2026.
What About International UPI Payments?
India’s UPI has expanded globally, with acceptance in countries including Singapore, UAE, France, Mauritius, Bhutan, and Nepal. The new security framework addresses international usage with a specific rule: payments abroad via UPI now require a live, in-person QR code scan.
The earlier option to pay using saved or shared QR codes outside India has been removed. This change directly targets a scam pattern where fraudsters would steal or reproduce QR codes and use them to initiate fraudulent overseas transactions. By requiring that every international UPI payment originate from scanning a fresh, live QR code in person, NPCI has significantly narrowed the scope for remote misuse.
For Indian card users shopping on overseas websites, the 2FA mandate for cross-border Card-Not-Present transactions will come into effect on October 1, 2026, giving card issuers and international merchants a transition window to update their systems.
Institutional Accountability: Banks Are Now on the Hook
One of the most consequential and underreported aspects of the April 2026 framework is the shift in liability. Previously, if a fraudulent transaction occurred, the burden of proof often fell on the customer to demonstrate that they had not authorised it — a difficult and time-consuming process that left many fraud victims without recourse.
Under the new rules, banks and payment platforms are now held institutionally accountable. If a fraudulent transaction succeeds because a bank or payment provider failed to implement the mandated authentication standards, the institution — not the customer — is liable for compensating the victim. This is a meaningful shift that creates direct financial incentive for every bank, payment app, and wallet provider to ensure their security implementation is airtight.
This change also reinforces the importance of using updated, official versions of your UPI apps. A bank that has released a security update to meet the 2FA requirements cannot be held liable if the customer is still running an outdated version that lacks the new authentication layer. Keeping your apps updated is no longer just good practice — it is essential for ensuring you are protected and that liability protections work in your favour.
What You Should Do Right Now
The new rules are already live as of April 1, 2026, which means action on your part is not optional — it is immediate. Here is a concise list of what you should do today:
- Update all your UPI apps — PhonePe, Google Pay, Paytm, BHIM, or any other — to their latest versions from the official app stores
- Enable biometric authentication in your UPI app settings if you have not already done so, as it provides smoother 2FA compared to waiting for OTPs
- Verify that your registered mobile number with your bank is active, up to date, and the same as the one linked to your UPI app
- Ensure your bank account is properly linked and not flagged as inactive due to long periods of non-use
- If you have changed your phone recently, re-register your UPI and verify device binding through your bank’s app or UPI provider
- Check your bank’s specific guidelines on how it has implemented the 2FA requirement, as the second factor experience may vary across different banks and apps
- Never share your UPI PIN, OTP, or any authentication code with anyone claiming to be from a bank or payment provider — this remains the most common social engineering attack even under the new framework
Transaction Limits Remain Unchanged
Amid all the changes, one thing has stayed constant: the transaction limits. The standard daily UPI limit remains ₹1 lakh for most payment categories. For special-use cases including medical emergencies, education fee payments, insurance premiums, travel bookings, credit card bill payments, capital market transactions, and IPO applications, higher limits continue to apply as they did before.
New UPI registrations still carry a ₹5,000 ceiling for the first 24 hours, a safeguard that existed previously and continues under the new framework to limit exposure during the initial account setup window.
The Bigger Picture: Why This Moment Matters
India’s UPI processed over 18 billion transactions in a single month in early 2026, making it one of the most actively used real-time payment systems in the world. That scale is India’s strength, but it is also its greatest vulnerability in the eyes of fraudsters who see UPI as a high-value target with millions of entry points.
The April 2026 framework is the RBI’s clearest signal yet that India’s digital payment infrastructure is being treated as critical national financial infrastructure — deserving the same level of rigorous, multi-layered security as banking systems in the most advanced economies globally. By moving from a convenience-first to a security-first model, while intelligently using risk-profiling to preserve ease for low-risk transactions, the framework strikes a balance that protects the most vulnerable users without making digital payments cumbersome for everyone.
The short-term adjustment — perhaps a second or two longer for some payments — is a small price for a system that makes it vastly harder for a scammer to clean out your account with a stolen PIN and a cloned SIM card. Understanding what changed, updating your apps, and enabling biometrics are the three steps that put this protection fully to work for you.
