GCash moves away from SMS-based one-time passwords (OTPs) as it rolls out an in-app authentication system starting June 22.
The shift replaces text message verification with push notifications inside the GCash app, aiming to reduce phishing risks and strengthen account security for millions of Filipino users.
The update aligns with the Bangko Sentral ng Pilipinas (BSP) directive under the Anti-Financial Account Scamming Act (AFASA), which pushes financial institutions to adopt stronger authentication systems against digital fraud.
BSP directive accelerates shift to stronger authentication systems
The transition to in-app OTPs forms part of a broader regulatory push to phase out SMS-based authentication methods. Authorities have flagged SMS OTPs as increasingly vulnerable to interception, SIM swapping, and phishing attacks.
Under AFASA, financial platforms are expected to adopt more secure multi-factor authentication (MFA) systems to reduce account takeover incidents and unauthorized transactions.
GCash said the rollout supports compliance with these cybersecurity requirements while modernizing user verification processes.
How GCash in-app OTPs work
Instead of receiving a code via SMS, users will now get authentication prompts directly inside the GCash through secure push notifications. These prompts are tied to the user’s logged-in device, reducing exposure to external interception.
Key changes include OTPs delivered only inside the authenticated GCash app, removal of SMS-based verification codes, one-tap approval for login and transaction verification, and reduced risk of phishing via text message spoofing or SIM-based attacks.
GCash said the system is designed to streamline login flows while maintaining security controls already in place.
Stronger defense against phishing and account takeovers
Financial scams in the Philippines have increasingly targeted SMS OTP vulnerabilities, particularly through phishing links and SIM-related exploits. By shifting authentication inside the app ecosystem, GCash reduces reliance on external messaging channels.
The company also continues to use layered security systems, including Know-Your-Customer (KYC) verification, facial recognition-based “Double Safe” authentication, and multi-factor authentication (MFA) protocols.
Industry observers note that app-based authentication is becoming a global standard as digital financial platforms attempt to close gaps exploited by fraud networks.
Balancing security and user experience
Beyond security improvements, GCash also positions the in-app OTP rollout as a usability upgrade. Users no longer need to switch apps or wait for SMS delays, which can slow down transactions or cause failed logins during network issues.
The company said the change is intended to reduce friction while maintaining stronger identity verification during high-risk actions such as logins, transfers, and account changes.
Outlook: Philippine fintech security tightening
The shift marks another step in the Philippines’ broader fintech security overhaul as regulators push for stronger digital safeguards. With mobile wallets now central to everyday transactions, platforms like GCash are increasingly under pressure to balance convenience with fraud resistance.
As SMS OTPs are gradually phased out, in-app authentication systems are expected to become the new baseline for digital banking and e-wallet security in the country.
