From Compliance to Confidence: The Future of Authentication in Indian Payments

By Tapesh Bhatnagar, Head – Digital Solutions, Giesecke & Devrient (G+D) India

India’s digital payment ecosystem now processes billions of transactions every month across UPI, cards, and mobile wallets, reflecting an economy that is rapidly shifting towards cashless convenience.

Yet the security framework underpinning this vast volume still depends heavily on SMS-based one-time passwords (OTP). While SMS-OTPs once offered a reliable layer of protection, they are increasingly exposed to phishing, call-based social engineering, SIM-swap scams and malware that quietly redirects messages.

Recognising these vulnerabilities, the Reserve Bank of India’s Authentication Mechanisms for Digital Payment Transactions Directions, 2025, mark the most significant change in authentication rules in more than a decade. The new framework replaces rigid controls with a principle-based model, giving banks the flexibility to design authentication journeys that meet three essential criteria, which are a) two distinct authentication factors, b) dynamic verification and c) robustness of the authentication framework which includes risk-based intelligence. The real question confronting the industry is no longer “How do we comply?” but “How do we build trust?”

OTP-only authentication is insufficient

The limitations of OTP-first security have become increasingly clear. OTPs were never designed to serve as a long-term defence against sophisticated fraud. In recent years, they have been systematically targeted through phishing overlays, SMS-redirection malware, and call-based social engineering techniques that silently intercept or divert messages.

There is also a growing user-experience cost. OTP delivery delays, poor network coverage, and expired messages regularly disrupt transactions. At scale, these interruptions undermine trust and contribute to abandonments on mobile apps and e-commerce platforms.

Meanwhile, digital payments are expanding at unprecedented speed. The National Payments Corporation of India (NPCI) reported robust growth in November 2025 with UPI transactions reaching 20.47 billion. The transaction volumes rose by 32% and values by 22%, making it one of the platform’s strongest monthly performances in 2025.

Yet this dramatic growth has occurred alongside rising threats. According to the data submitted by the Reserve Bank of India (RBI) to Parliament, digital and loan fraud value surged to INR 36,014 crore in FY2024-25. This was up from INR 12,230 crore in the previous fiscal year. (The data reported by the RBI are for frauds of ₹1 lakh and above). A significant proportion of these cases emerged from card payments and internet banking channels. Notably, of the 23,953 fraud cases reported in FY25, 13,516, about 56.5% originated from card payments and internet banking channels, highlighting how vulnerabilities in existing authentication flows are being actively exploited across digital payment rails.

However, these cases accounted for only ₹520 crore of the total ₹36,014 crore in fraud value, revealing that large-value frauds remain concentrated in other areas of banking.

India cannot continue scaling towards a trillion-dollar payments economy on authentication rails that are both insecure and increasingly frustrating for users.

A chance to redesign trust

The RBI’s 2025 directions introduce a fundamental shift in how the industry approaches digital identity and transaction approval.

Two-factor authentication remains mandatory, but at least one factor must now be dynamically proven, a security element that changes with every transaction. In essence, authentication must evolve from a static “code” to a contextual signal that adapts in real time.

The guidelines also allow risk-based authentication. Banks can evaluate behavioural patterns, device fingerprints, location data, time of transaction, velocity checks, and historical user behaviour to determine how much authentication is required at each moment. A routine payment from a familiar phone may pass with minimal friction, while a sudden attempt from a foreign IP address or new device can trigger additional verification.

Another important shift centres on liability. If a bank does not meet the requirements and fraud occurs, the institution must compensate the customer. This moves the focus from blanket compliance to outcome-based assurance, raising the importance of building systems that genuinely prevent loss.

With this flexibility, banks can create unified authentication stacks that combine device biometrics, Aadhaar-based verification, tokenised card numbers, in-app approvals, and intelligence-driven checks. This aligns India with the global direction of travel, where security and user experience are not opposing priorities but mutually reinforcing objectives.

Turning compliance into competitive advantage

The compliance deadline may be April 2026, but institutions that adopt modern authentication early will gain a clear trust advantage. For banks and fintechs competing for customer loyalty, authentication is the front door to the entire digital banking experience.

A unified authentication layer helps banks cut drop-offs, lower fraud losses, speed up dispute resolution, and launch new digital experiences more smoothly. Authentication framework like G+D’s Convego® Auth-U centralise authentication across internet banking and mobile channels which can be utilized by various customer facing applications.

By combining FIDO-based passkeys with device biometrics, Convego Auth-U eliminates passwords and SMS OTPs, boosting security while improving approval rates and delivering a smoother, more satisfying customer experience.

As Indian consumers go digital-first, trust is the key currency. RBI’s guidelines let banks move beyond compliance to create fast, seamless, and fraud-resistant payment experiences. By modernising authentication, banks safeguard customers and shape the future of confidence in India’s rapidly growing digital payments ecosystem.