GCash will complete its transition from SMS-based one-time passwords (OTPs) to in-app authentication by June 22, marking a major cybersecurity upgrade aimed at protecting millions of users from phishing attacks and online fraud.
The Philippines’ largest cashless ecosystem said the full rollout of In-App OTPs is part of its intensified efforts to strengthen account security and aligns with a directive from the Bangko Sentral ng Pilipinas (BSP) under the Anti-Financial Account Scamming Act (AFASA), which requires financial institutions to phase out SMS-based OTPs by June 2026.
Under the new system, verification codes will be delivered through secure push notifications directly within the authenticated GCash application rather than through text messages.
The company said the shift will significantly reduce vulnerabilities commonly exploited by cybercriminals, including phishing schemes, social engineering attacks, and SIM-related fraud.
The move comes as digital financial platforms face increasing pressure to strengthen defenses against increasingly sophisticated scams targeting consumers.
“Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs,” said Miguel Geronilla, chief information security officer of GCash.
“We will shift users to instant, GCash app-verified authentication to increase the security of their daily transactions,” he added.
Unlike SMS OTPs, which can be intercepted or manipulated through fraudulent links and unauthorized SIM activities, in-app authentication ensures that verification requests are sent only to verified devices linked to authenticated users. This substantially lowers the risk of unauthorized account access and account takeovers.
Beyond security benefits, the feature is also expected to improve user experience by enabling instant, one-tap verification. Users will no longer need to switch between applications, wait for text messages, or manually enter verification codes to complete transactions.
The rollout underscores the growing industry-wide shift toward stronger authentication standards as regulators and financial institutions seek to curb cybercrime and bolster trust in digital financial services.
GCash said the new OTP system complements its broader security framework, which includes multi-factor authentication, Know-Your-Customer (KYC) verification, and facial recognition technology through its Double Safe feature.
As digital payments continue to gain traction across the country, the company said strengthening platform security remains a top priority to ensure safer and more reliable financial transactions for millions of Filipinos.
