Blockchain-based Verifiable credentials - RBI says no to OTP for digital payments
Kamlesh Nagware
Co-Founder @ FSV Capital | TEDx Speaker| Co-Chair LF Decentralized Trust| Blockchain TOP VOICE | Hyperledger, Fintech, Digital Assets/Tokenization, CBDC | Driving Blockchain Innovation and Adoption
RBI introduces a novel verification method for digital transactions, steering away from the traditional OTP.
Speaking during the monetary policy statement address, RBI Governor Shaktikanta Das said: "With innovations in technology, alternative authentication mechanisms have emerged in recent years. To facilitate the use of such mechanisms for digital security, it is proposed to adopt a principle-based “Framework for authentication of digital payment transactions
The RBI said that though it has not recommended any particular AFA, the payment mediums have largely adopted SMS-based One Time Passwords (OTP). But now, RBI wants to look into new ways to authenticate online transactions.
The central bank plans to issue comprehensive guidelines separately that will delineate the specifics of this fundamentally based authentication framework. At present, for Unified Payment Interface (UPI) transactions, banks typically require an OTP for authentication purposes. However, the OTP system is not foolproof. According to the finance ministry records, India reported over 95,000 cases of UPI fraud in the 2022-23 fiscal.
This prompts the question: why was there ever a need for second or multi-factor authentication? The answer lies in the inherent vulnerabilities of user IDs and passwords, which lack robust authentication measures and are susceptible to theft and misuse, as evidenced by numerous cases worldwide.
However, there exists an alternative to logging in without relying on passwords and OTPs. By integrating the KYC of bank account holders with their account details to create a verifiable account credential, users can securely and seamlessly log in using this credential for financial transactions.
Verifiable credential technology emerges as a highly effective alternative for secure authentication in banking. Blockchain based verifiable credentials could offer solutions to enable Indian banks to implement passwordless and OTP-less login systems. These systems utilize cryptographic credentials to securely verify users' identities, reducing dependence on conventional methods like passwords and SMS-based OTPs. Integration with verifiable credential technology presents a safer and smoother authentication experience for banking transactions.
For example How Digi Yatra Foundation is using Hyperledger Indy Blockchain to provide verifiable credentials to air travellers in India.
What is this new technology and the Maturity of technology?
What are verifiable credentials?
Verifiable credential technology emerges as a promising solution for secure authentication in banking and digital payments. This technology enables the creation and verification of digital credentials that are cryptographically secure and tamper-resistant. These credentials can encapsulate a wide range of identity attributes, including KYC information, and be used to authenticate users in a passwordless and OTP-less manner.
Zero-Knowledge Proofs
Zero-knowledge proofs are cryptographic methods which enable a user to prove knowledge of a value without disclosing the actual value. This data model supports being secured with the use of zero-knowledge proof mechanisms.
Password-less Authentication
Passwordless authentication is a means to verify a user's identity, without using a password. Instead, passwordless uses more secure alternatives like possession factors (one-time passwords [OTP], registered smartphones), or biometrics (fingerprint, retina scans).
Hyperledger Indy provides tools, libraries, and reusable components for providing digital identities rooted on blockchains or other distributed ledgers so that they are interoperable across administrative domains, applications, and any other silo. Indy is interoperable with other blockchains or can be used standalone powering the decentralization of identity.
Indicio
Indicio is the market leader in developing enterprise-class verifiable data solutions that optimize existing software and systems ensuring digital privacy, efficiency, and trust. Through its flagship product range, Indicio Proven™, companies now have an easy way to integrate, implement, and scale decentralized identity and verifiable credential solutions, manage data privacy, and avail of enhanced, Zero-Trust enabling security. Specializing in applications for financial, healthcare, and travel markets, Indicio enables its global customers to create and use immediately actionable, verifiable data and implement Web 2.0 and Web3 digital transformation
IOMe by MOI Technology Blockchain
IOMe is a user-owned decentralized identity and authentication solution that lets users interoperate between web2 and web3 networks. It extends MOI protocol's identity infrastructure with zero-knowledge technology to provide easy, and secure digital interactions.
Even W3C also recommends to verifiable credentials.
The W3C (W3C) develops standards and guidelines to help everyone build a web based on the principles of accessibility, internationalization, privacy and security.
https://www.w3.org/TR/vc-data-model-2.0/
In conclusion, the RBI's initiative to explore alternatives to OTP for second-factor authentication reflects a broader effort to strengthen security in digital payments. By embracing innovative solutions such as verifiable credential technology, Indian banks can enhance security, improve the user experience, and stay ahead of evolving cyber threats in an increasingly digital world.
References:
https://www.beyondidentity.com/resources/passwordless-authentication
#blockchain #digitalidentity #financialservcies #digitalpayments #rbi #ssi #did
Kamlesh, your insights on the RBI's initiative to explore alternatives to OTP for second-factor authentication are truly enlightening and much needed in today's digital world. Your expertise in blockchain and fintech is evident in your analysis of this crucial development. Keep up the great work!
Founder & CEO, Group 8 Security Solutions Inc. DBA Machine Learning Intelligence
9moGratitude for your contribution!
TechAdvisory for Indian businesses
10moHi.. How does Verifiable Credentials offer a foolproof alternative to SMS-based 2nd-factor authentication? We run into a similar risk if someone gets access to your private keys - correct?
CTO @ Dhiway | Open Trust Infrastructure | Data Tokenization | DPI | Finternet | DeDi | Identities | Filesystem | Storage | SJCE | JNV
10moIt is a good and timely move by RBI. My request to those who are policy makers at RBI and other places to consider Confidex (https://ondc.org/blog/introducing-confidex-by-ondc/) launched by Open Network For Digital Commerce (ONDC) powered by CORD when you think of blockchain, so both scale and functionality are addressed. It would be great when many central agencies work together in a decentralized way to bring more trust. Satish Mohan | Nitin Mishra | Rahul Handa | Hemant Adarkar | Rahul Kulkarni | Venkatesh Hariharan | Sankarshan Mukhopadhyay | Abhishek Singh | Dhiway
Global Sales Strategist | New Business Development ! Winning New Markets
10moGreat initiative by RBI! Exploring alternatives to OTP for authentication will definitely strengthen digital payment security. 💪🔒 #DigitalPayments #SecureAuthentication