- On Wednesday, RBI proposed a new framework in which most digital transactions in India will require 2-factor authentication.
- SMS-based OTPs are outdated, and new 2FA authentication methods include pins, tokens, or biometric credentials.
- Financial institutions can choose their own additional authentication methods but will have to comply with the new rules (i.e. double authentication) within 3 months.
India might soon make it compulsory to have 2-factor authentication for digital payments, according to a new RBI (India’s Central bank) initiative.
On Wednesday, the Reserve Bank of India (RBI) proposed a new framework that will mandate dynamically generated second authentication factors for most digital payments, which includes card payments, mobile banking, and prepaid channels.
The only exceptions are physical transactions with cards, recurring payments such as premiums, investments and subscriptions, small offline transactions (less than Rs 500, which is around $6) and contactless payments under Rs 5,000 (around $60).
Time to Replace OTPs, Says RBI
Right now, most online payments in India use SMS-based OTPs for payment authorization. However, RBI feels that OTPs are outdated and that modern-day digital risks require modern-day solutions.
“While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms.” RBI
What exactly will replace OTPs haven’t been disclosed yet but possible options include biometrics, pins, passphrases, tokens, etc.
To make it even clearer, RBI sorted the solutions into three categories:
- Something the user has: ATM cards or software tokens
- Something the user knows: passwords or pins
- Something the user is: biometrics such as fingerprints and facial recognition
It will be up to the bank or the payment service provider to decide which additional authentication factor it wants to use, but having double authentication is mandatory.
RBI will accept comments on this proposal until September 15, after which financial institutions will have 3 months to comply with the rules.
Read more: India’s stringent crypto tax rules remain unchanged, new budget reveals
E-Mandate & KYC
In addition to the two-factor authentication rule, the RBI has introduced another new rule under which if there hasn’t been a single transaction with a vendor for six months in a row, the bank will need to redo KYC for the mandate.
E-mandates have also been introduced for credit card payments, mutual funds and insurance payments of up to Rs 1 lakh ($1,194) and other recurring transactions of up to Rs 15,000 ($179).
Related: US lobby group consisting of Apple, Google, and Amazon opposes India’s proposed EU-like competition law