Farewell to OTP ?, RBI suggests principle-based authentication for digital payments
In a recent announcement, the Reserve Bank of India (RBI) has disclosed plans to revamp the verification process for digital transactions, proposing a shift away from the conventional One-Time Password (OTP) system.
This initiative, presented as a principle-based framework, aims to adapt to evolving technological landscapes and foster the adoption of alternative authentication mechanisms for heightened transaction security.
RBI Governor Shaktikanta Das stated, “With technological advancements, however, alternative authentication mechanisms have emerged in recent years. Therefore, to facilitate the adoption of alternative authentication mechanisms for enhancing the security of digital payments, it is proposed to put in place a principle-based framework for authentication of such transactions.”
The proposed framework, yet to be detailed comprehensively, signals a departure from the prevalent SMS-based OTP authentication widely employed by financial institutions during digital transactions.
This move comes in response to the growing number of digital transactions in the country, prompting the RBI to encourage banks to explore and implement advanced authentication solutions that offer both enhanced security and convenience for customers.
The existing OTP-based system operates by sending a one-time password to the user’s registered mobile number, requiring input within a specific timeframe to validate and complete the transaction. Despite its popularity, SMS-OTP has faced vulnerabilities, as evident by the RBI’s disclosure in March 2023, citing over 95,000 fraud UPI transactions between 2022 and 2023.
Under the envisioned principles, RBI-regulated entities may be granted flexibility to adopt diverse modes of authentication. This shift is anticipated to pave the way for innovative methods such as app-based approvals and biometric authentication, aiming to bolster the overall security posture of digital transactions in the country.