India: RBI asks banks to stop relying on OTP-based authentication, look for safer alternatives
Indian central bank, the Reserve Bank of India (RBI), has asked banks in the country to ditch the traditional SMS-based second-factor authentication system and seek safer, advanced alternatives. As per media reports, while there are multiple options available, all include the use of a user’s mobile phone for authentication.
The RBI issued a detailed statement on Development and Regulatory Policies on February 8 on its website but did not lay out instructions in this regard as of now.
Currently, whenever we conduct a digital financial transaction, the fintech firm or bank typically sends an OTP to the mobile number linked to the account as an extra layer of authentication. The transaction can only proceed after entering this OTP, ensuring the security of bank accounts and preventing unauthorised use of financial data.
The RBI has not indicated any intention to completely eliminate the authentication process, but rather to streamline the AFA (additional factor of authentication) process.
“Though RBI has not prescribed any particular AFA, the payments ecosystem has largely adopted SMS-based one-time password (OTP). With innovations in technology, alternative authentication mechanisms have emerged in recent years. To facilitate the use of such mechanisms for digital security, it is proposed to adopt a principle-based "Framework for authentication of digital payment transactions," reads the statement.
In the same context, the RBI has suggested simplifying the onboarding process for Aadhaar-enabled payment system (AePS) touchpoint operators, to be supervised by banks. Additionally, they will consider additional requirements for managing fraud risks.
Safer OTP-less alternative
Route Mobile's latest initiative, TruSense, has introduced an innovative OTP-less authentication system. This method allows service providers to establish direct data connections with users' devices, facilitating identification and token exchange without requiring OTP input from users.
David Vigar, Executive Vice President overseeing digital identity, warned against relying solely on biometrics for authentication. He highlighted the risks posed by advancements in artificial intelligence, particularly the potential for deepfake technology to bypass facial recognition systems.
VERY GOOD STEP
ReplyDelete