Mumbai: Top private sector banks and telecom companies are replacing one-time passwords (OTPs) and are jointly developing a 'silent authentication mechanism'-a background check that verifies whether the mobile number linked to a banking app matches the SIM currently active on the device.
If a discrepancy is detected, the transaction can be flagged or blocked in real time without any action required from the customer. The technology will also be extended to eSIM environments. This additional layer of verification is designed to eliminate fraud arising from SIM cloning and unauthorised eSIM swaps-two of the more sophisticated methods used by fraudsters to intercept OTPs.
"We keep working on several pilots in collaboration with telecom companies for silent authentications that don't need customer action," said Sameer Shetty, group executive - Digital Business, Transformation & Strategic Programs at Axis Bank. "If somebody is logged into the app but the underlying mobile number does not match the one registered on the app, the mobile network can often provide that signal. This allows us to detect potential fraud silently, without requiring any action from the customer. Telecom companies can play a significant role in helping reduce fraud."
Telecom companies are also exploring delivery of OTPs through their own apps, moving away from traditional SMS-based authentication which is vulnerable to interception.
Separately, banks are rolling out face authentication-built on the Aadhaar biometric infrastructure-along with in-app OTP generation on mobile banking platforms, as part of their compliance with the Reserve Bank's two-factor authentication (2FA) mandate applicable to all transactions effective April 1.
"Banks and telcos are coming together to validate at the network level whether your SIM and device actually match before a transaction clears," said Sundareshwar Krishnamurthy, partner and India cyber leader at PwC India.
SIM cloning and eSIM swaps have worked precisely because authentication has lived in a layer that was easy to compromise, he said. "Move that verification into the network backbone, make it invisible to both the user and the attacker...add Aadhaar face authentication and in-app OTP generation to that stack, and you are not relying on any single factor anymore. Banks and telcos are actively building out the API layer to make silent authentication work," Krishnamurthy said.
As per the new framework, regulated entities must ensure that all domestic digital payment transactions must be authenticated via two distinct factors, such as a PIN/password (something you know), an OTP/app token (something you have), or biometrics (something you are).
While SMS-based OTPs are not banned, the guidelines encourage banks and fintechs to adopt more secure, modern methods, including biometrics (fingerprint/face ID), app-based tokens and device-native security.
The mandate also unlocks the opportunity for third-party apps like WhatsApp to deliver transactional OTPs-estimated at 10 billion messages a month, or roughly one-fifth of the total messaging market.
Banks are also allowed to use contextual and behavioural data such as user behaviour, device reputation and location for additional security checks for high-risk transactions.
If a discrepancy is detected, the transaction can be flagged or blocked in real time without any action required from the customer. The technology will also be extended to eSIM environments. This additional layer of verification is designed to eliminate fraud arising from SIM cloning and unauthorised eSIM swaps-two of the more sophisticated methods used by fraudsters to intercept OTPs.
"We keep working on several pilots in collaboration with telecom companies for silent authentications that don't need customer action," said Sameer Shetty, group executive - Digital Business, Transformation & Strategic Programs at Axis Bank. "If somebody is logged into the app but the underlying mobile number does not match the one registered on the app, the mobile network can often provide that signal. This allows us to detect potential fraud silently, without requiring any action from the customer. Telecom companies can play a significant role in helping reduce fraud."
Telecom companies are also exploring delivery of OTPs through their own apps, moving away from traditional SMS-based authentication which is vulnerable to interception.
Separately, banks are rolling out face authentication-built on the Aadhaar biometric infrastructure-along with in-app OTP generation on mobile banking platforms, as part of their compliance with the Reserve Bank's two-factor authentication (2FA) mandate applicable to all transactions effective April 1.
"Banks and telcos are coming together to validate at the network level whether your SIM and device actually match before a transaction clears," said Sundareshwar Krishnamurthy, partner and India cyber leader at PwC India.
SIM cloning and eSIM swaps have worked precisely because authentication has lived in a layer that was easy to compromise, he said. "Move that verification into the network backbone, make it invisible to both the user and the attacker...add Aadhaar face authentication and in-app OTP generation to that stack, and you are not relying on any single factor anymore. Banks and telcos are actively building out the API layer to make silent authentication work," Krishnamurthy said.
As per the new framework, regulated entities must ensure that all domestic digital payment transactions must be authenticated via two distinct factors, such as a PIN/password (something you know), an OTP/app token (something you have), or biometrics (something you are).
While SMS-based OTPs are not banned, the guidelines encourage banks and fintechs to adopt more secure, modern methods, including biometrics (fingerprint/face ID), app-based tokens and device-native security.
The mandate also unlocks the opportunity for third-party apps like WhatsApp to deliver transactional OTPs-estimated at 10 billion messages a month, or roughly one-fifth of the total messaging market.
Banks are also allowed to use contextual and behavioural data such as user behaviour, device reputation and location for additional security checks for high-risk transactions.
