The Reserve Bank of India has removed two-factor authentication — involving the use of one-time passwords sent to mobile phones — for online card transactions up to Rs 2,000 (US$29), Live Mint reports. “Discarding two-factor authentication is an opt-in service, which means that customers will have to specifically opt for it.” The move follows the withdrawal of Rs 500 (US$7) and Rs 1,000 ($14) notes.
- Revolut lets customers pre-authenticate their contactless card as they approach the SCA transaction limit
- Accenture issues $280bn payments revenue warning to banks
- Monzo to use app notifications to address Strong Customer Authentication communications issues
- Apple expands 3% cashback network for Apple Card holders to Walgreens and Duane Reede stores
- PepsiCo unveils customer loyalty programme that delivers cashback rewards to PayPal and Venmo accounts
One thought on “India Reserve Bank drops two-factor authentication”
Comments are closed.
“Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment.” –Robert H. Courtney, Jr. His First Law.
While I am an advocate of strong authentication, requiring it to buy a hamburger is overkill. When I use my contactless card at McDonalds, McDonalds does not require a PIN.
On the other hand, when I use a mobile banking app on my iPhone, the app inherits the strong authentication (possession of the phone and the phone PIN) from the phone. Therefore, the bank allows me to opt out of using a one-time password when banking from that device (which the knows.
Note that, like most things about consumer strong authentication, whether