Bangalore, October 30, 2025: Zeta, a next-generation banking technology and payments processing provider, today announced Cipher AFA, an advanced authentication platform that enables banks to achieve immediate compliance with the Reserve Bank of India’s (RBI) new Additional Factor of Authentication (AFA) mandate, issued under the Authentication Mechanisms for Digital Payment Transactions Directions, 2025 (effective April 1, 2026).
Part of Zeta’s Cipher Identity and Access Management (IAM) suite, Cipher AFA is a highly scalable, multi-factor authentication platform that helps banks and fintechs secure every digital payment transaction through risk-based, dynamic, and phishing-resistant authentication methods, going beyond traditional OTP-based systems.
As India’s digital payments ecosystem expands rapidly and fraud incidents rise, Zeta recognized the need for stronger authentication to counter evolving threats and engineered Cipher AFA to address it.
Designed for limitless scalability and proven at over 1 million transactions per second (TPS), the platform offers a comprehensive, zero-trust identity framework spanning consumer, enterprise, and agentic domains. Cipher AFA is live with Pluxee India, HDFC Bank, and several fintechs, having processed over 800 million AFA-compliant authentications to date.
Banks and fintechs using the platform have reported a 100% elimination of OTP-related fraud and significant improvements in reliability and success rates versus OTP-only systems. Building on this proven performance, Zeta aims to command 50% of India’s banking and payments authentication market within the next 2 years.
Ramki Gaddipati, Co-founder, CTO and CEO (APAC) Zeta, said, “A decade ago, we built Cipher on the belief that strong authentication would become the foundation of digital trust, not just a regulatory necessity. We’re delighted to see the RBI now champion this vision across the ecosystem. In over ten years of powering authentication for banks and fintechs globally, we’ve seen how evolving threats demand proactive innovation. Cipher AFA reflects that journey, engineered well ahead of its time to deliver frictionless, phishing-resistant security that keeps pace with both regulatory and user expectations.”
RBI’s new AFA directions mark a major shift in India’s digital payment security framework, requiring issuers to adopt two or more distinct authentication factors drawn from three RBI-defined categories – knowledge (such as PIN or password), possession (such as device token, OTP, or smartcard), and inherence (such as biometric or behavioural identifiers).
As SMS OTPs face rising phishing, SIM swap, and delivery issues, the RBI is urging banks to adopt risk-based, dynamic, and phishing-resistant authentication methods. Cipher AFA enables banks to not only meet these mandates immediately, but go beyond them offering a rich and evolving catalogue of strong authentication methods, that balance security, compliance, and user convenience.
The new mandate is set to push banks toward adopting stronger and more innovative authentication mechanisms, moving beyond conventional methods like OTPs that are increasingly known to be vulnerable to fraud. Emerging standards such as FIDO-compliant approaches and passkeys will make digital authentication significantly safer, capabilities that are now available in India through Zeta’s Cipher AFA platform.
Supported authentication methods include:
- Conventional methods: SMS/Email OTPs, passwords, static PINs
- Stronger and future-ready methods: Passkeys, biometrics, device tokens, dynamic PINs, Time-based OTPs, Swipe2Pay, Issuer Trusted Party Authentication, and more
Cipher AFA offers:
- A context-aware transaction risk engine that dynamically adjusts authentication strength by transaction type, user profile, channel, and other contextual factors – ensuring strong protection with minimal friction.
- Seamless interoperability with banks’ existing risk systems, allowing flexible deployment without disrupting established models.
- Easy integration across issuer processing environments, enabling support for all major card networks and UPI as well as closed-loop and on-us transactions
- A privacy-by-design framework that ensures data security and compliance from the ground up and is certified under India’s DPDPA regulation.
- Certifications with global and domestic standards, including EMV 3DS 2.2, ISO 27001, PCI-DSS & SOC3.
- Alignment with global authentication frameworks and standards such as PSD2 RTS (EU) and NIST 800-63 (US) ensuring readiness for cross-border and regulatory-compliant use cases.
As India’s payments ecosystem evolves, Zeta continues to empower financial institutions with future-ready technology that safeguards both compliance and customer confidence.