While biometric authentication is generally considered more secure than OTPs, rapid advances in AI technology are also making it easier for malicious actors to exploit vulnerabilities and steal users’ data.
UAE banks have fully shifted away from traditional one-time passcodes (OTPs) and security PINs toward in-app authentication systems, which often rely on biometric data for online transactions.
The transition has been introduced to strengthen security and address rising cases of phishing and fraud. However, the move toward biometric verification has also prompted concerns among some UAE residents about the safety and reliability of such systems.
Consent and privacy concerns
“I understand why banks are strengthening security measures,” said Dubai resident Ann M., noting that scams and fraud cases have become increasingly common.
“But making biometric authentication mandatory raises concerns for me around consent, privacy, and responsibility,” she added.
The media professional raised concerns over the security of biometric authentication, noting that while it may reduce the risk of remote fraud, victims could still be vulnerable to physical coercion.
“There is a valid trust issue, which means customers should be allowed to choose how to secure their device,” she added.
The Dubai resident said that although biometric security can offer convenience and help reduce certain types of fraud, consumers should retain the right to decide how they access and protect their finances.
Harder to change biometrics
While biometric authentication is generally considered more secure than OTPs, rapid advances in AI technology are making it easier for malicious actors to exploit or imitate biometric data and extract information that could potentially be used for fraud.
Maher Yamout told Khaleej Times that banks must ensure biometric data is properly encrypted and securely stored to reduce the risk of exposure to scammers.
He noted that unlike PINs or passwords, biometric identifiers cannot be easily changed once compromised, making strong data protection measures essential to safeguard users.
“Since biometric information cannot simply be changed like a password if compromised, organisations have a responsibility to implement the highest levels of security to protect it from unauthorised access or misuse,” Maher Yamout said.
The UAE Central Bank’s official rulebook states that banks must safeguard customers’ credentials against vulnerabilities and unauthorised access, while also regularly monitoring biometric systems to detect potential security breaches.
The expert added that the most secure approach is to combine biometrics with PINs or other authentication factors. “This creates multi-factor authentication, requiring users to provide something they are (biometrics) and something they know (a PIN or password). Using two-factor, or even three-factor authentication, significantly reduces the likelihood of unauthorised access and strengthens protection for financial transactions and sensitive data,” he said.
‘Not a choice anymore’
Rihea Sadarangani echoed similar concerns, noting that fingerprints cannot be changed and may sometimes fail during in-app authentication.
“What concerns me more is that it has stopped being a choice. You open the app, and you’re nudged, then pushed, and eventually more or less required to enable biometrics. There should be a choice for a PIN or fingerprint,” she said.
Sadarangani, founder and CEO of marketing agency Iconic Episode, added that she is not fully convinced biometric systems are always safer for users.
“A PIN, used carefully, doesn’t carry the same risk,” she said. “Biometrics have their place, and the convenience is real. But banks should let customers decide for themselves what they’re willing to trade for it, rather than making that decision on their behalf.”
