Explained: RBI's proposed overhaul of digital transaction authentication, moving away from OTP system
RBI proposes a shift from traditional OTP to a principle-based framework for digital transaction authentication, aiming to enhance security amidst growing digital transactions and vulnerabilities.
The Reserve Bank of India (RBI) has unveiled plans to revolutionize the authentication process for digital transactions with a proposed shift away from the conventional One-Time Password (OTP) system. The announcement, made alongside the decisions of the Monetary Policy Committee (MPC), signifies a proactive stride by the central bank towards bolstering the security of digital payments.
RBI Governor Shaktikanta Das elucidated the rationale behind the proposed transition, highlighting the evolution of authentication mechanisms amidst technological advancements. While SMS-based OTP has been widely adopted in recent years, the burgeoning landscape of digital transactions necessitates a more robust and versatile authentication framework. As such, the RBI seeks to introduce a principle-based system to accommodate alternative authentication methods, aiming to fortify the security of digital payments.
"Over the years, the Reserve Bank has proactively facilitated introduction of various mechanisms such as Additional Factor of Authentication (AFA) for securing digital payments. While no particular mechanism was specified by the Reserve Bank, SMS-based OTP has become very popular. With technological advancements, however, alternative authentication mechanisms have emerged in recent years. Therefore, to facilitate adoption of alternative authentication mechanisms for enhancing the security of digital payments, it is proposed to put in place a principle-based framework for authentication of such transactions," Das said.
What is the OTP-based system and why RBI wants to replace it
When initiating an online transaction, a common practice among banks involves sending a one-time password (OTP) via SMS to the user's registered mobile number. The recipient must input this OTP within a designated time frame to verify and complete the transaction. This SMS-based authentication method has become the standard adopted by financial institutions over the years.
As the volume of digital transactions continues to escalate in the country, the Reserve Bank of India (RBI) is inclined to motivate banks to embrace cutting-edge authentication solutions, enhancing both security and convenience for customers. While SMS-OTP remains popular, its susceptibility to vulnerabilities necessitates exploring more robust alternatives.
Highlighting the urgency for enhanced security measures, the central bank reported over 95,000 fraudulent UPI transactions recorded between 2022 and 2023 in March 2023. In response to these challenges, the proposed principles by the RBI would empower regulated entities to leverage alternative modes of authentication, potentially including app-based approval and biometric authentication.
The envisaged principles aim to foster a conducive environment for the adoption of diverse authentication methods, steering away from a one-size-fits-all approach. By providing flexibility to RBI-regulated entities, the framework seeks to encourage innovation and the implementation of advanced authentication technologies. This strategic shift is anticipated to not only fortify the security of digital transactions but also enhance the overall resilience of the financial ecosystem.
In essence, the alternative system proposed by the RBI is poised to revolutionize the authentication landscape, offering a spectrum of secure and adaptable methods. As the digital economy evolves, this initiative is pivotal in ensuring that the authentication mechanisms employed by financial institutions remain adept at safeguarding against emerging threats while facilitating seamless and secure digital transactions.