India looks to biometric MFA startups to stanch flow of UPI financial fraud

The National Payments Corporation of India (NPCI) is pursuing biometric startups to provide biometric authentication for Unified Payments Interface (UPI) mobile transactions, to add additional security to the standard four-to-six digit PIN for multifactor authentication (MFA).

Tice News reports on rumors that MFA for UPI will be enabled through fingerprint biometrics on Android and through face ID verification on iPhones.

Currently, primary authentication for UPI is device-based, accomplished when users bind their device through SMS upon enrolment. A PIN provides secondary authentication.

But the Reserve Bank of India (RBI) has expressed concern that it’s not strong enough to withstand the threats of the contemporary fraud landscape – particularly given that UPI accounts for 80 percent of all online transactions in India. The bank’s latest annual report, for the fiscal year ending March 2024, shows losses to fraud of 14.57 billion rupees (US$175 million).

The RBI has announced plans to publish a framework on alternative authentication methods for digital payment transactions to help stem the tide of UPI fraud, which surged to 95,000 cases in 2022-23. It has also run public education campaigns, notably featuring Bollywood legend Amitabh Bachchan.

It is a necessary response to a risk that has grown in tandem with the UPI system since its launch in 2016. The digital payments system has seen widespread adoption. But financial scams, identity theft and other fraud techniques have adapted and developed more sophisticated mechanisms to subvert multifactor authentication.

In response, the RBI has mandated the implementation of “additional factor of authentication” (AFA). It points to a number of possible methods, including additional PINs, passwords and cards, as well as its preferred method: biometric authentication through fingerprint or face ID verification – for which the NPCI is currently scouting providers.

The NPCI has run previous challenges for authentication startups, featuring names like Tech5, Juspay, MinkasuPay and Infobip. It is unknown exactly which providers the organization is in talks with regarding the UPI authentication project.

Money Control quotes an unnamed source who says that, “while the NPCI is certain to implement the biometric authentication in a few months, the startup partner has not yet been decided. Since the regulator is keen on alternative methods to ensure risk mitigation to reduce frauds, NPCI is likely to accelerate the plan.”

Article Topics

biometric authentication  |  biometrics  |  fraud prevention  |  India  |  multifactor authentication  |  research and development  |  startup  |  Unified Payments Interface - UPI