India's central bank on Wednesday proposed a requirement for dynamically generated second authentication factors for most digital payments.

"Reserve Bank of India had mandated additional factor of authentication (AFA) for all transactions undertaken using cards, prepaid instruments and mobile banking channels," explained the central bank.

But that mandate didn't specify which factor was required. India's financial sector and digital payments ecosystem primarily adopted SMS-based one-time passwords for AFAs.

Now the Bank (RBI) wants to move beyond SMS OTP - and to make biometrics an option.

"While OTP is working satisfactorily," according to the RBI, "technological advancements have made available alternative authentication mechanisms."

Thus, it wishes to explore other unspecified biometric options, pins, passphrases, plus hardware or software tokens as authentication solutions. It sorted the solutions into three categories: something the user has, knows, or is.

Banks will get to decide what AFA to require - but must make it dynamic. That means it would be generated after the payment is initiated and is used only once - for a single transaction - and therefore hard to fake.

Some exceptions are envisaged. These include transactions where the card is present to a value below ₹5000 ($60), subscriptions to items like mutual funds, insurance premium payments, credit card bill payments that fall within a certain range, digital toll payments, and offline digital transactions - those that don't require internet connectivity - less than ₹500 ($6). The last probably refers to systems for paying for public transport and the like.

The RBI has sought comments and feedback on the draft framework by September 15 and compliance within three months from when the directions are issued ®

https://www.theregister.com//2024/08/02/india_contemplates_compulsory_dynamic_2fa/