August 1, 2024 at 11:37PM
India’s central bank proposed new requirements for second authentication factors for digital payments, aiming to move beyond SMS OTP to consider biometrics, pins, passphrases, and hardware or software tokens. It prioritizes dynamic generation and single-use to enhance security, allowing banks to choose the AFA while mandating compliance and exceptions for specific transactions.
Based on the meeting notes, the Reserve Bank of India (RBI) has proposed the implementation of dynamically generated second authentication factors for most digital payments. The previous mandate required an additional factor of authentication (AFA) for transactions made using cards, prepaid instruments, and mobile banking channels but did not specify which factor was required. The primary authentication mechanism has been SMS-based one-time passwords (OTPs).
However, the RBI now seeks to go beyond SMS OTPs and make biometrics an option for authentication. The bank wishes to explore unspecified biometric options, pins, passphrases, as well as hardware or software tokens for authentication solutions and has categorized the solutions into something the user has, knows, or is.
Banks will have the flexibility to decide what AFA to require but must make it dynamic, ensuring that it is generated after the payment is initiated and is used only once for a single transaction. Some exceptions are envisaged for certain types of transactions, such as those involving amounts below specific thresholds and offline digital transactions.
The RBI has requested comments and feedback on the draft framework by September 15 and expects compliance within three months from the issuance of the final directions.