A new layer of security is being added to digital wallet transactions as In-App One-Time Passwords are set to replace SMS-based authentication for GCash users, a move aimed at reducing exposure to phishing scams and fraud.
Beginning in the first quarter of 2026, users will receive their OTPs through secure push notifications within the app rather than via text messages. The shift responds to long-standing vulnerabilities associated with SMS OTPs, which have frequently been targeted by scammers.
By sending authentication requests directly to the verified app, the system ensures that only the account owner can receive and approve transaction codes. This approach helps prevent unauthorized access and lowers the risk of account takeovers.
The in-app process also improves ease of use by allowing instant, one-tap authentication. Users no longer need to wait for messages, switch between applications, or manually enter codes, making transactions both faster and safer.
“Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs. We will shift users to instant, GCash app-verified authentication, to increase the security of their daily transactions,” said Miguel Geronilla, chief information security officer of GCash.
The rollout forms part of GCash’s broader adoption of multi-factor authentication, an industry-standard security practice that adds layers of protection when accessing accounts. This reduces the risk of fraud even if passwords or MPINs are compromised.
In-App OTPs also complement existing security measures, including Know-Your-Customer verification and facial recognition under the Double Safe system. Together, these safeguards aim to enhance protection while maintaining a smooth user experience.
The introduction of In-App OTPs reinforces the platform’s continued focus on improving safety and providing secure digital financial services for millions of users.