To help address these growing threats, GCash is introducing a major security upgrade that could significantly improve account protection for millions of users nationwide. Beginning June 22, 2026, the country's leading finance super app will start rolling out In-App One-Time Passwords (OTPs), replacing traditional SMS-based authentication.
The move is part of GCash's broader effort to strengthen cybersecurity and protect users from increasingly sophisticated online scams.
Why GCash Is Replacing SMS OTPs
For years, SMS-based OTPs have served as an additional security layer for digital transactions. However, cybercriminals have found various ways to exploit SMS authentication through phishing schemes, social engineering tactics, SIM-related fraud, and other forms of digital deception.
Recognizing these vulnerabilities, the Bangko Sentral ng Pilipinas (BSP) directed financial institutions to phase out SMS OTPs by June 30, 2026, under the Anti-Financial Account Scamming Act (AFASA).
GCash's transition to In-App OTPs supports this nationwide initiative to improve cybersecurity standards and reduce opportunities for fraudsters to gain unauthorized access to user accounts.
How GCash In-App OTPs Work
With the new system, users will no longer receive verification codes through text messages.
Instead, OTP requests will be delivered directly through secure push notifications within the authenticated GCash app.
This creates a safer verification process because only the device that is already logged in and verified can receive and approve the authentication request.
The new process offers several advantages:
- Enhanced protection against phishing attacks
- Reduced risk of OTP interception
- Faster transaction verification
- Less reliance on mobile network signal
- A smoother user experience with fewer manual steps
Rather than waiting for a text message and manually entering a code, users can complete verification directly through the app, making transactions quicker and more secure.
Users Should Enable Push Notifications
As GCash prepares for the nationwide rollout, users are encouraged to ensure that push notifications are enabled on their smartphones.
Without push notifications activated, users may experience interruptions when completing transactions or verifying account activities once the transition takes effect.
Enabling notifications allows the app to promptly deliver authentication requests whenever an OTP is required.
For many users, this small adjustment will help ensure a seamless transition to the new security system.
Strengthening Security Through Multi-Factor Authentication
The introduction of In-App OTPs is part of GCash's broader investment in Multi-Factor Authentication (MFA), a widely adopted cybersecurity practice used by financial institutions around the world.
MFA strengthens account security by requiring multiple forms of verification before granting access or approving sensitive transactions.
According to Miguel Geronilla, Chief Information Security Officer of GCash, the transition represents a significant step toward eliminating vulnerabilities associated with traditional SMS verification.
"Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs. We will shift users to instant, GCash app-verified authentication, to increase the security of their daily transactions," he said.
By requiring authentication through the verified GCash application itself, the company aims to make it substantially harder for fraudsters to compromise accounts.
Building on Existing GCash Security Features
The new In-App OTP system complements several existing security measures already available on the platform.
Over the years, GCash has introduced multiple layers of protection, including:
Know Your Customer (KYC) Verification
User identity verification helps ensure that accounts are linked to legitimate individuals, reducing the risk of fraudulent account creation.
Facial Recognition Verification (Double Safe)
GCash's Double Safe feature adds another layer of security by requiring facial verification during specific account activities.
Enhanced Fraud Monitoring
The platform continuously invests in fraud detection and monitoring systems designed to identify suspicious account behavior and potentially unauthorized transactions.
With In-App OTPs now joining these safeguards, GCash is further strengthening its defense against evolving cyber threats.
What This Means for GCash Users
For everyday users, the transition to In-App OTPs offers a balance between stronger protection and convenience.
Instead of relying on text messages that may be delayed, intercepted, or manipulated by scammers, users can authenticate transactions directly through their trusted GCash app.
The change also reflects a broader shift happening across the financial services industry, where app-based authentication is increasingly becoming the preferred security standard.
As digital scams continue to grow in complexity, proactive measures like In-App OTPs play a critical role in protecting consumers and maintaining trust in digital financial platforms.
A Safer Future for Digital Finance
With millions of Filipinos relying on digital wallets for everyday transactions, cybersecurity remains a top priority for both consumers and financial service providers.
GCash's rollout of In-App OTPs represents an important milestone in the fight against phishing scams, account takeovers, and online fraud. By replacing vulnerable SMS-based verification with app-based authentication, the platform is taking a significant step toward creating a safer and more secure digital finance ecosystem.
As the June 30 BSP compliance deadline approaches, users are encouraged to update their app settings and enable push notifications to fully benefit from this enhanced security feature.