Exploring authentication methods to strengthen digital payment security in India
Regulators of banking systems around the world prioritize implementing security measures to keep digital banking and payment applications secure. One approach is leveraging multi-factor authentication (MFA) to ensure someone logging in to an account is who they say they are. Some countries and regions, such as Singapore, Hong Kong, and the European Union, in particular, have a long history of regulating the use of MFA to access digital banking applications and authorize digital transactions.
The Reserve Bank of India (RBI), India’s central bank and regulator of the banking system, recently stepped up its efforts and introduced a draft framework to further enhance the security of digital payments. The new framework, entitled Framework on Alternative Authentication Mechanisms for Digital Payment Transactions, outlines requirements for Payment System Providers and Payment System Participants regarding the authentication of online payments via cards and mobile apps. More specifically, it requires financial entities to employ strong, MFA to confirm digital payments.
In this article we discuss why RBI decided to introduce the new framework, which requirements it contains, and how banks can meet these requirements.
From SMS OTP to stronger authentication methods
Authentication methods aren’t new to RBI; RBI already requires financial entities to adopt a second factor to authenticate digital payments. In practice, however, this second factor often turned out to be an SMS one-time password (OTP), an authentication code delivered by SMS to the user’s mobile phone.
It is well-known that SMS OTP suffers from various security vulnerabilities, such as weaknesses in the SS7 protocol underlying SMS, allowing messages to be intercepted. In addition, mobile device malware can read SMS messages without the user noticing, and SIM swap attacks allow fraudsters to redirect messages to them. Besides these security weaknesses, sending SMS messages can be expensive, which can have a significant impact on an organization’s budget. Finally users might not receive SMS messages, especially when traveling or in areas with poor network coverage.
With RBI’s new framework, the organization’s goal is to transition banks and other entities involved in digital payments from the usage of SMS OTP to more advanced forms of MFA. In this way, it follows the example of other countries, such as Singapore. As stated by the Monetary Authority of Singapore (MAS) in July 2023, banks have to move away from SMS OTP:
Given the inherent vulnerability of the SMS channel, MAS has required banks to phase out SMS OTP as a sole factor to authenticate high-risk transactions.
Banks in Singapore have already moved away from sole reliance on SMS OTP for high-risk online banking activities, like adding of payees and changing of fund transfer limits.
MAS expects the same for high-risk card transactions, such as authorising online card payments. The transition has commenced, and MAS will set a deadline for all retail banks to complete this.
RBI’s new multi-factor authentication requirements
RBI’s new draft framework applies to Payment System Providers, which operate payment systems, as well as Payment System Participants, which use payment systems. An example of the latter are banks.
The new framework essentially requires that all digital payments, conducted online via a payment card or via a mobile app, are authenticated using one or more “additional factors of authentication” (AFA), except if the framework explicitly exempts the type of payment. These additional factors are used on top of a primary authentication factor (e.g. password).
The additional factors of authentication can belong to one of the following categories:
- Something the user knows (such as a password, passphrase, or PIN)
- Something the user has (such as a hardware token, payment card, or software token)
- Something the user is (such as a fingerprint or any other form of biometrics)
Furthermore, the factors of authentication need to meet the following requirements:
- They need to be dynamically created (i.e. the factor must be generated after initiation of the payment) and be specific to the transaction
- They cannot be reused for other transactions
- They need to be different from the first factor of authentication
- They can be selected based on the risk level of the transaction
Certain types of payments are exempt from the requirement to use additional factors of authentication. These are small-value card present transactions for values up to ₹5000 ($60) per transaction in contactless mode at point-of-sale (PoS) terminals, e-mandates for recurring transactions, payments using certain types of prepaid instruments, and small-value digital offline payments up to a value of ₹500 ($6).
Finally, the company holding the account of the user must inform the payer in near real-time about digital payment transactions conducted via that account, except for small offline transactions.
RBI’s new requirements in practice
RBI’s draft framework is principle-based. It specifies that an additional factor of authentication needs to be used, but it leaves open how this additional factor should be used. This approach lets RBI provide financial entities with the freedom to select the most appropriate authentication mechanisms for their needs, as long as they meet the framework’s requirements.
In the mobile banking channel, financial entities will most likely address the requirements in the draft framework by implementing MFA into their mobile apps. The mobile apps store a cryptographic key that is used to calculate a dynamic, OTP over transaction-specific data, such as the beneficiary’s account and the amount of money of the transaction. The usage of the cryptographic key is protected using a biometric factor (e.g. face scan, fingerprint scan) or a knowledge factor (e.g. PIN, password). The mobile apps send the OTPs to the authentication server of the financial entity for verification, after which the transaction can be executed.
An open question is whether the framework will also require financial entities to implement the concept of “What You See Is What You Sign” (WYSIWYS), whereby the user verifies the transaction details on the trustworthy display of a device before approving it. This mechanism, which aims to protect against man-in-the-middle (MITM) attacks that modify transaction data, would further increase the level of security of digital payments in India.
Authentication methods for digital payment transactions
RBI's new (draft) framework marks a significant step forward in strengthening digital payment security in India. By mandating the use of strong MFA and moving away from vulnerable SMS OTPs, RBI is aligning India with global cybersecurity best practices.
The transition to more secure authentication methods will not only protect consumers from fraud but also bolster the confidence in India's digital economy. As the country continues to embrace digital payments, the implementation of these new regulations will be crucial in ensuring a safe and reliable environment for all users.
It remains to be seen how effectively financial entities will implement these new requirements. The success of this initiative will depend on their ability to adopt advanced authentication technologies that are easy to use by the Indian people.
See how financial institutions can benefit from OneSpan’s Mobile Security Suite, which is already used by hundreds of financial institutions globally to secure their mobile banking and payment apps.
Additional resources
- More information about the Reserve Bank of India’s draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions is available here.
- More information about OneSpan’s Mobile Security Suite, which banks can use to integrate strong, multi-factor authentication into mobile apps, is available here.
- Indian customers can also reach out to Pinakin Dave, Country Manager India, via [email protected].