GCash announced a major change to how users verify their identity, shifting from text message codes to in-app notifications in a bid to fight fraud.
Starting in the first quarter of 2026, users will receive their one-time passwords, or OTPs, as push notifications directly within the GCash app. This replaces the current method of sending codes via SMS, or mobile messages.
The company said the move is a direct response to the growing threat of scams where criminals intercept text messages. The upgrade to In-App OTPs is said to be a strategic move to put an end to phishable SMS OTPs, according to GCash Chief Information Security Officer Miguel Geronilla.
He explained that by sending the code directly to the user’s already authenticated GCash app, it ensures that only the intended account holder can receive and use it, adding a stronger layer of security for daily transactions.
This change aligns with a broader push by the Bangko Sentral ng Pilipinas (BSP), the country’s central bank. Last year, the BSP urged financial institutions to move beyond SMS-based OTPs toward more advanced authentication methods to combat financial crime.
Regulations under the Anti-Financial Scamming Act now limit the use of OTPs sent by SMS and email. In its Circular 1213, the BSP stated that banks and e-wallets should “limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties.”
The central bank recommends other multi-factor authentication standards, including biometrics like fingerprint or facial recognition, and behavioral analysis that tracks patterns such as typing speed. It also supports passwordless login systems that use physical security keys or biometrics alone.