by Matt Cooper
INDIA JUST MOVED BEYOND OTP. THIS IS WHAT THAT ACTUALLY MEANS FOR BANKS, FINTECHS AND PLATFORMS.
April 1 was positioned as a regulatory deadline, but in reality it marks a much more meaningful shift in how authentication is expected to work in India. The Reserve Bank of India hasn’t banned SMS OTP outright, but it has made one thing very clear: OTP on its own is no longer sufficient. Every digital payment now needs to be secured using at least two independent factors, including a dynamic element. In practice, that removes OTP as the default mechanism that the ecosystem has relied on for years.
The tone of the coverage around the directive says a lot about how it is being interpreted. One widely cited headline put it bluntly: “OTP can’t secure payments.” That may be reductive, but it reflects a broader consensus forming across the market. OTP is not disappearing, but it is being repositioned. As summaries of the RBI guidance have made clear, OTP will remain “one component… but must be combined with another independent verification step.” The shift is subtle in wording, but significant in impact.
This change hasn’t come out of nowhere. India’s digital payments market has scaled at a remarkable pace, driven largely by mobile-first journeys and the success of UPI. But the same simplicity that made OTP so effective at scale has also made it vulnerable. Fraud has evolved quickly, particularly through phishing, social engineering and SIM-related attacks, and the control has not kept pace. The RBI’s move is widely understood as a response to the “growing risks associated with OTP-based systems,” and a recognition that authentication needs to become more robust without slowing the system down.
What is notable is how the industry is responding. There is very little pushback in principle. The conversation has already shifted towards what comes next. Sanjay Tripathy, CEO of BRISKPE, described the move as encouraging “a variety of authentication mechanisms beyond just SMS-based OTPs” and called it “a critical step to increase trust.” That framing is important. This is not being treated as a compliance burden, but as a necessary evolution to maintain confidence in digital payments at scale.
At the same time, there is a growing acknowledgement of the practical challenge. Banks and fintechs are under pressure to introduce stronger authentication, but they cannot afford to add friction. Adding steps to a journey is easy. Maintaining conversion while improving security is not. Early responses are already visible, with a shift towards in-app approvals, device binding and more secure session-based authentication flows. But these approaches still require integration effort, behavioural change and, in many cases, user interaction.
There is also a more structural shift happening beneath the surface. In some interpretations of the directive, banks may be required to compensate users where security systems fail. Whether applied universally or not, the signal is clear. Authentication is no longer just a control function. It is directly tied to financial liability.
That changes how quickly organisations move and how seriously alternatives to OTP are being evaluated as India’s payments ecosystem has reached a scale where even small weaknesses become systemic risk:
UPI alone is now processing over 24,000 crore transactions annually (around 241 billion) with a total value of roughly ₹308 lakh crore. On an average day, that is more than 66 crore transactions moving through the system.
At peak, the system is handling 20+ billion transactions in a single month, with values exceeding ₹27 lakh crore, which gives a sense of just how embedded digital payments have become in everyday life.
More broadly, digital payments now account for 99.8% of transaction volume in India, which is effectively total market penetration.
UPI itself dominates this ecosystem, representing around 80% of all digital payments and acting as the default infrastructure layer for both consumer and merchant transactions.
That scale is still growing. In just the first half of 2025, UPI processed 106 billion transactions worth ₹143 trillion, with strong growth driven by everyday, low-value usage across millions of small merchants.
Underneath that, the addressable base is enormous. The UPI ecosystem already serves nearly 500 million users and 65 million merchants, making it one of the largest real-time payment systems globally.
This is where network-based authentication becomes much more relevant. The mobile network already holds a set of signals that are extremely difficult to replicate or intercept: the relationship between the number, the SIM, the device and the live connectivity. Number Verify uses those signals to confirm, silently, that the person interacting with a service is in possession of the number they claim. There is no code to intercept, no message to delay, and no action required from the user.
Through XConnect’s SAFr platform, SAFr Auth is already live, integrated with India’s operators and deployed in real-world environments. That’s a crucial advantage in a market like India, where mobile is the primary digital identity for a vast proportion of users. It offers a way to meet the RBI’s requirement for stronger, multi-factor authentication without introducing additional friction into the customer journey.
The timing is important. The RBI (Reserve Bank of India) has not dictated a single replacement for OTP, which means the market is now actively evaluating alternatives. That creates a window where approaches that combine security with usability will move quickly from pilot to production. In that context, Number Verify is not just another option. It aligns directly with the direction of travel that regulation and market demand are both pointing towards.
Looking slightly ahead, this is also why Number Verify 2 is such a significant development. The original model demonstrated that network-based authentication works, but its applicability was constrained in certain scenarios, particularly outside pure mobile data environments. Number Verify 2 addresses that by extending support across Wi-Fi and browser-based journeys and by making deployment more consistent across operators. That shift takes it from a strong capability into something much closer to standard infrastructure.
What the RBI has done, intentionally or otherwise, is accelerate the transition. OTP has not disappeared, but it has been repositioned. It is no longer the centre of the authentication model. The focus now is on layered, intelligent, low-friction verification. The organisations that move quickly to adopt that model will not just meet compliance requirements, they will improve conversion, reduce fraud exposure and strengthen customer trust at the same time.
And that is ultimately the point. This is not about replacing one factor with another. It is about changing where trust comes from. The network knows it’s you. That’s trust you and your users can count on.