RBI Urges Banks to Ditch SMS OTPs, and Explore More Secure Authentication

Banking industry professionals have raised alarms regarding the susceptibility of SMS-based one-time passwords (OTPs) to "social engineering" scams. These scams involve tactics like enticing clients to reveal their passwords or executing SIM swaps

Preeti Anand
New Update
mobile site or mobile app which should you build first infographic f df


The Reserve Bank of India (RBI) has given guidelines to regulated firms, including banks, pushing them to investigate alternate second-factor authentication methods and shift away from SMS-based one-time passwords. While alternative techniques exist, they all need a mobile phone for authentication.


SMS-based OTPs are vulnerable to scams

Banking industry experts have expressed concern about the vulnerability of SMS-based one-time passwords (OTPs) to "social engineering" frauds, including strategies such as luring clients into exposing their passwords or performing SIM swaps. 

In response, authenticator apps that require users to obtain passwords from other smartphone applications have emerged as a popular alternative to OTPs. Service providers have developed alternate options, such as tokens integrated into mobile applications. Despite these developments, mobile phones play an essential role in authentication.


OTP-less authentication system

TruSense, Route Mobile's latest venture, has introduced a novel OTP-less authentication mechanism. This novel solution allows service providers to create a direct data connection with users' devices, simplifying identification and token exchange without requiring users to enter OTPs.

David Vigar, the Executive Vice President in charge of digital identity, advised against relying entirely on biometrics for authentication. He emphasised that advances in artificial intelligence present a considerable risk since deepfake technology can overcome facial recognition systems.


RBI proposes AePS Onboarding Streamlining

The Reserve Bank of India (RBI) has proposed expediting the onboarding procedures for Aadhaar-enabled Payment System (AePS) touchpoint operators with guidelines to banks. The RBI is considering including additional elements for fraud risk management in the AePS framework.

Reasons for the change in authentication:

  • Vulnerability of SMS OTPs: SMS-based OTPs are susceptible to various interception and manipulation, like SIM-swapping and phishing attacks.
  • Need for Stronger Authentication: As digital transactions increase, robust and multi-factor authentication methods become crucial to protect sensitive financial data.
  • Evolving Fraud Landscape: Fraudsters constantly devise new techniques to exploit security vulnerabilities. Moving beyond SMS OTPs reduces the risk of unauthorised access.

Impact on Customers:

  • Banks must implement new authentication methods and educate customers on their usage.
  • Customers may initially face some inconvenience as they adapt to new procedures.
  • However, the long-term benefits of enhanced security outweigh the initial adjustments.

Will this step prove to help the customers?

  • The RBI's directive is a positive step towards strengthening the security of India's digital banking ecosystem.
  • Banks are expected to comply with the directive within a defined timeframe.
  • This move will likely pave the way for more secure and convenient customer banking experiences.