About Us
GCash moves beyond SMS: In-app OTPs roll out to curb phishing and account takeovers
- Gcash
By TechWatch PH Staff
GCash is rolling out a major security upgrade as it begins shifting users from SMS-based one-time passwords to In-App OTPs, a move aimed at shutting down one of the most exploited attack vectors in digital finance: phishable text messages.
By the first quarter of 2026, OTPs will be delivered directly through secure push notifications inside the authenticated GCash app, eliminating the need for SMS.
The change addresses long-standing vulnerabilities tied to text-based OTPs, which scammers frequently intercept through phishing, SIM swap schemes, and malware.
With In-App OTPs, authentication requests are sent only to a user’s verified device and app session, ensuring that OTPs are accessible exclusively to the rightful account holder. The update also enables instant, one-tap authentication, allowing users to approve transactions without switching apps, manually typing codes, or waiting for delayed text messages.
“Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs. We will shift users to instant, GCash app-verified authentication, to increase the security of their daily transactions,” said Miguel Geronilla, Chief Information Security Officer of GCash.
The feature is part of GCash’s broader push to strengthen Multi-Factor Authentication (MFA), an industry-standard security approach that significantly lowers the risk of account takeovers even if passwords or MPINs are compromised. In-App OTPs build on the platform’s existing protections, including Know-Your-Customer (KYC) verification and Facial Recognition under its Double Safe system.
GCash said the transition enhances security without adding friction, balancing stronger safeguards with faster, more seamless transactions. The company positions the rollout as a new benchmark for digital finance security in the Philippines, reinforcing its focus on protecting millions of users from evolving fraud and phishing threats.
More details on the In-App OTP rollout are available at gcash.com.