RBI wants to drop OTP, but you’ll still need a phone

For second-factor authentication, the RBI has asked regulated organizations, such as banks, to consider options other than SMS-based one-time passwords. Although there are other options that could be tried, they are all centered around a mobile phone. You would still need your phone for authentication.

According to bankers, “social engineering” scams that include tricking a customer into disclosing their password or getting it through a SIM swap can also involve OTPs. An authenticator app that needs the user to get a password from another phone app is the most popular substitute for OTP. In addition, service providers have created alternative possibilities, such as tokens inside the mobile application. Although this proves where the communication originated, it still has to rely on mobile phone.

Route Mobile, which provides a communication platform as a service, sends nearly four billion OTPs every month on behalf of various service providers, reported TOI. “The increase in digital adoption also increases the potential for digital frauds. We are seeing a gap between the emerging markets, which are seeing high growth without any discussion on the rising frauds,” Rajdipkumar Gupta, MD & CEO of Route Mobile. He said the rising frauds have prompted the company to launch TruSense division under Route Mobile UK to thwart identity theft.

TruSense has introduced OTP-less authentication, where the service provider will have a direct data connection with the user’s device, identify the number, and exchange a token with the device without the user having to enter an OTP. According to David Vigar, executive VP in charge of digital identity, biometrics are not a good standalone authentication option as developments in AI have brought in a new risk of deepfakes bypassing facial recognition.

“For the Indian market, the mobile phone is the best identifier as the customer must verify their identity before obtaining a connection. Emails are not as good as it is easy to generate fake email identity. Also, anyone can generate an email without KYC,” Vigar told TOI.

(You can now subscribe to our Economic Times WhatsApp channel)

Harry Byrne

Related post