GCash has fully rolled out its In-App One-Time Password (OTP) system, replacing traditional SMS-based OTP authentication for transactions by June 22, 2026, as part of an effort to combat phishing scams and account takeovers. The move aligns with the Bangko Sentral ng Pilipinas (BSP) directive under the Anti-Financial Account Scamming Act (AFASA), which mandates the phaseout of SMS OTPs across financial institutions. According to TechPinas, the new system delivers authentication requests through secure push notifications within the GCash app.
SMS OTPs have long been a standard security layer but have become increasingly vulnerable to phishing, SIM swap fraud, and social engineering attacks. By keeping the verification process inside the authenticated app, the in-app OTP system significantly reduces the risk of interception and ensures only the legitimate account holder can access the code. This approach eliminates the need to switch apps or manually enter codes, streamlining transaction verification.
The upgrade strengthens GCash's security posture amid rising digital scams in the Philippines. The company stated that the in-app OTPs provide stronger protection and faster transactions, while complying with regulatory requirements. The full transition from SMS-based OTPs is targeted for completion by June 2026.