GCash is enhancing its security protocols by rolling out in-app One-Time Passwords (OTPs), a move designed to replace traditional SMS-based authentication.

By the first quarter of 2026, the finance superapp expects users to receive OTPs directly via secure push notifications within the application rather than through text messages.

The transition aims to address vulnerabilities associated with SMS, which scammers have frequently targeted to gain unauthorised access to user accounts.

Sending authentication requests directly to the verified GCash app guarantees that only the true account owner receives and uses the unique codes.

This new feature also promises a smoother user experience. Users will no longer need to switch between apps or manually input codes, allowing for instant, one-tap authentication.

Miguel Geronilla, Chief Information Security Officer at GCash, described the upgrade as a strategic step to eliminate “phishable” SMS OTPs.

“We will shift users to instant, GCash app-verified authentication, to increase the security of their daily transactions,” Geronilla stated.

The introduction of in-app OTPs is part of GCash’s broader strategy to implement Multi-factor Authentication (MFA).

This adds to existing protection measures such as Know-Your-Customer (KYC) verification and the ‘Double Safe’ facial recognition system.

These layers of security work together to reduce the risk of account takeovers, even in events where passwords or MPINs are compromised.

Featured image by GCash.