E-wallet operator GCash announced on Monday the rollout of its in-app one-time passwords (OTPs), allowing users to receive their codes through push notifications within the mobile app instead of via mobile messages.

GCash said the security feature will be available in the first quarter of 2026, as part of its strategy to enhance security through multi-factor authentication (MFA), an industry standard that provides multiple layers of protection when accessing an account.

“Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs. We will shift users to instant, GCash app-verified authentication, to increase the security of their daily transactions,” GCash chief information security officer Miguel Geronilla said in an advisory.

“By sending OTP requests directly to the user’s authenticated GCash app, GCash ensures that only the intended users can receive and use the unique OTPs, protecting them from unauthorized access,” GCash said.

The Bangko Sentral ng Pilipinas (BSP) last year said it is looking to have local financial institutions shift from OTPs to more advanced methods as part of its efforts to address fraud and financial crime.

Under the Anti-Financial Scamming Act (AFASA), BSP-supervised financial institutions (BSFIs) are limited in the use of OTPs sent to users via SMS and email, and adopt more multi-factor authentication standards.

“With the increasing prevalence of social and engineering attacks aimed at obtaining login credentials, BSFIs should limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction,” according to BSP Circular 1213.

Among the other recommended MFA methods are biometric authentication, which allows customers to use their fingerprint scanning, facial recognition, and voice recognition to authorize transactions, and behavioral biometrics that track patterns such as typing speed, mouse, or device movements.

The BSP also allows for passwordless authentication that uses factors like biometrics, hardware tokens, and cryptographic keys, such as Fast Identity Online (FIDO), which allows biological features or a security key to log in to online accounts.—LDF, GMA Integrated News