20.5k unique visitors in the last 3 days

Indian Central Bank Looks at Alternatives to SMS OTPs for Authenticating Payments

Governor Shaktikanta Das of the Reserve Bank of India also wants digital currency to work offline, but his plan means issuers could place programmable limits on what money can buy.

A recent statement by the Governor of the Reserve Bank of India (RBI) caused a flurry of media speculation about the demise of SMS as an authentication factor for payments. The first monetary policy statement of the year by RBI Governor Shaktikanta Das (pictured) explicitly referred to the extent to which Indians rely on one-time passwords (OTPs) sent by SMS.

Over the years, the Reserve Bank has proactively facilitated introduction of various mechanisms such as Additional Factor of Authentication for securing digital payments. While no particular mechanism was specified by the Reserve Bank, SMS-based OTP — that is one-time password — has become very popular. With technological advancements, however, alternative authentication mechanisms have emerged in recent years. Therefore, to facilitate adoption of alternative authentication mechanisms for enhancing the security of digital payments, it is proposed to put in place a principle-based framework for authentication of such transactions.

Das elaborated a little when questioned about the preferred methods of authentication during the press conference which followed his statement.

OTP is not being reviewed. What I’m saying is that, over the years, it so happens that OTP has become the most popular, and commonly used AFA, Additional Factor of Authentication. But, with the movement of time, various other technologies and methods have come up so we want to just… tell the players in the field there are other methods also… and RBI will be agnostic to them as long as they are, you know, sound methods, banks and institutions are free to adopt them.

These anodyne remarks prompted a series of Indian journalists to claim RBI wants to end the use of SMS for authenticating transactions. These were some of the headlines that the Governor’s statement generated.

RBI wants to drop OTP, but you’ll still need a phone for authentication

RBI Urges Banks to Ditch SMS OTPs, and Explore More Secure Authentication

RBI plans to do away with OTP based authentication. What we know so far.

RBI is planning to change the OTP you use to authenticate your transaction, here’s how

The Indian press has a habit of running a long way ahead of national comms regulation, but they do tend to run in the correct direction. If a similar principle can be applied to statements from the central bank then these journalists will have correctly predicted a reduction in the use of SMS for authenticating bank customers but they are exaggerating the rate of change.

Indians are rightly concerned about the security of their personal data and news about it being abused for impersonation frauds. Almost every article about the Governor’s statement mentioned security as a reason to migrate from SMS OTPs to superior forms of remote authentication, perhaps using an app on the customer’s phone or a look-up of the customer’s biometric details from the national Aadhaar system. Additional analysis provided by businesses who were quoted by the press suggests they are lobbying RBI to support the adoption of alternatives to SMS-based authentication with the justification that this is required to reduce fraud.

Das also announced a new pilot program to enhance the use of Central Bank Digital Currency (CBDC) transactions, as currently being rolled out amongst merchants and their customers in various Indian cities.

It is now proposed to enable additional functionalities of programmability and offline capability in CBDC retail payments. Programmability will facilitate transactions for specific/targeted purposes, while offline functionality will enable these transactions in areas with poor or limited internet connectivity.

Enabling the offline use of the CBDC will be crucial to extending its operational range across India. There are many places where poor network connectivity means the CBDC blockchain cannot be updated in real time. On the other hand, making the CBDC programmable is likely to lead to restrictions on its use. Das outlined several objectives that could be realized through programmability.

  • Citizens receiving government welfare payments in the CBDC will only be able to spend the money on a limited range of products and services.
  • Businesses could program CBDC to restrict what employees can charge to travel expenses.
  • CBDC spending could similarly be limited so that it can only be made within a predefined geographic region.

The press release transcript of the Governor’s statement is here. Click here for the official YouTube video of the Governor’s statement; the link is set to skip to the 32-minute 55-second mark, when he begins talking about SMS-based authentication. Click here for the official video of the Governor’s press conference; this skips to the 43-minute 21-second mark when Das is being asked if SMS is still a preferred method of authenticating customers.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email