India may soon require two-factor authentication (2FA) for most digital payments as part of a new initiative by the Reserve Bank of India (RBI). Announced on Wednesday, the proposal mandates a dynamically generated second authentication factor for various digital payment methods, including card payments, mobile banking, and prepaid channels.
There are a few exceptions, such as physical card transactions, recurring payments like premiums and subscriptions, small offline transactions under Rs 500 (around $6), and contactless payments under Rs 5,000 (around $60).
Currently, online payments in India predominantly use SMS-based one-time passwords (OTPs) for authorization. However, the RBI considers OTPs outdated in the face of modern digital risks and advocates for more advanced authentication mechanisms.
Though the RBI has not specified the replacements for OTPs, possible alternatives include biometrics, pins, passphrases, and tokens. The central bank aims to enhance security by leveraging technological advancements for authentication.
India to Mandate Two-Factor Authentication for Most Digital Payments
The proposed authentication methods are categorized into three groups: something the user has (e.g., ATM cards or software tokens), something the user knows (e.g., passwords or pins), and something the user is (e.g., biometrics such as fingerprints or facial recognition).
It will be the responsibility of banks and payment service providers to select the additional authentication factors to be used, but implementing double authentication will be compulsory.
RBI will be accepting feedback on this proposal until September 15. After the consultation period, financial institutions will be given three months to comply with the new rules. This timeline indicates a swift implementation aimed at bolstering the security framework for digital payments in India.
Additionally, the RBI has introduced a new rule related to e-mandates and Know Your Customer (KYC) processes. If no transactions occur with a vendor for six consecutive months, banks will need to redo the KYC for the mandate.
Moreover, e-mandates are now applicable for credit card payments, mutual fund and insurance payments up to Rs 1 lakh (about $1,194), and other recurring transactions up to Rs 15,000 (about $179). These measures aim to ensure continued security and compliance in the financial ecosystem.
