GCash To Roll Out In-App OTPs To Strengthen Security Against Digital Fraud

GCash, the Philippines’ leading finance super app and largest cashless ecosystem, is set to introduce its In-App One-Time Password (OTP) feature starting June 22, replacing traditional SMS-based authentication as part of its strengthened cybersecurity measures against phishing scams and financial fraud.

Users are advised to enable push notifications to ensure uninterrupted access to transactions and account activities during the transition.

A Shift Toward Safer, App-Based Authentication

With the new system, OTPs will now be delivered through secure push notifications directly inside the GCash app, eliminating the need to rely on SMS messages.

This upgrade is designed to deliver a safer and more seamless verification experience, ensuring that authentication requests are received only within the authenticated app environment.

According to GCash, the shift aligns with directives from the Bangko Sentral ng Pilipinas (BSP) to phase out SMS-based OTPs by June 30, 2026, in support of the Anti-Financial Account Scamming Act (AFASA), which aims to strengthen cybersecurity protections and reduce digital fraud incidents.

Addressing Vulnerabilities in SMS-Based OTPs

For years, SMS-based OTPs have been one of the most commonly exploited entry points for scammers attempting to gain unauthorized access to user accounts.

By moving OTP delivery directly into the app, GCash reduces exposure to phishing attempts and SIM-based attacks, ensuring that only the legitimate account holder can receive and approve authentication requests.

The new system also improves convenience by removing the need to switch between apps or wait for text messages, enabling faster and more secure transaction approvals.

Stronger Protection Through Multi-Factor Authentication

GCash’s transition to In-App OTPs forms part of its broader Multi-Factor Authentication (MFA) strategy, an industry-standard security approach that adds multiple verification layers to protect user accounts.

Even if passwords or MPINs are compromised, MFA significantly reduces the risk of unauthorized access.

This latest enhancement builds on existing security features already implemented by GCash, including:

Know-Your-Customer (KYC) verification
Facial recognition authentication (Double Safe)
Enhanced account monitoring systems

Together, these safeguards aim to create a more secure digital financial environment for users.

Commitment to Safer Digital Finance

GCash continues to invest in strengthening its cybersecurity infrastructure as digital threats evolve. The introduction of In-App OTPs reflects its ongoing commitment to protecting users while maintaining a smooth and convenient financial experience.

“Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs,” said Miguel Geronilla, Chief Information Security Officer of GCash. “We will shift users to instant, GCash app-verified authentication to increase the security of their daily transactions.”