Actionable insights on equities, fixed-income, macros and personal finance Start 14-Days Free Trial
Actionable investing insights Get Free Trial

You Can Opt Out of OTP for Small Transactions, But You Should Not.


Sick of OTPs? RBI has a new notification. You can say NO to the One Time Passwords that you need to key in every time you do an online transaction, but only for transactions less than Rs. 2000.
The idea is that the OTP is a pain. You get it by SMS. And SMS is not “deterministic” in the sense that there’s no guarantee you’ll actually get it. And then your phone’s battery may be off (and you might be trying to buy a new battery online!). Or you may be in a remote location with no mobile coverage but some internet. And if you don’t get the SMS, you can’t finish your transaction. Plus, it’s a bit of a pain to wait for it.
So the RBI says:

  • We’ll allow YOU (the cardholder) to say “I don’t want OTP, dammit”
  • But only for transactions that cost less than Rs. 2000
  • And then also, it’s not smooth
  • Because your card network – the Mastercard/Visa/Rupay – will ask you to login with a username and password you create on their website. Then only does the payment go through.
  • So they’re replaced an OTP with a password, even if you did opt out

This is not so much of a difference. So instead of entering your card details and then an OTP, you just enter a login/password for each transaction at the mastercard/visa layer. To counter, banks could offer you the ability to use a password instead of an OTP. (HDFC Bank does offer it, and I really thank them for it)
So if your card details (minus CVV) are stored at say Flipkart or Amazon, your choices are:

  • Checkout with CVV (since other card details are stored), and then OTP/Password at bank
  • or, in the new system, Checkout and enter Mastercard/Visa login and password if the transaction size is less than Rs. 2000

For a consumer, the amount of work is approximately the same.
The OTP is not sacrosanct – a bank can offer ANYTHING as a second factor of authentication. They can ask you a password, a secret question, or even a fingerprint. But many banks just default to using OTPs, which are a pain.
But now, a user has to opt out of the 2FA plan for less than Rs. 2000 transactions. Then he has to create a user id and password at the network site (like a Visa checkout or such). Then a website/online merchant has to support non-2FA authentication, and when you check out, you need to go to that site, login again and approve the transaction. Instead of keying in your card number and CVV etc, you key in the username and password.
This may not really be of big use to anyone, since the number of steps involved are similar. However, it allows you to not put your card details in a merchant website, which is a nice security measure at a new website. (However, if you don’t opt out, you can give your card details to anyone – they won’t be able to use it without an OTP/Password. You can disable international transactions – they are disabled by default)

We say: Don’t Give Up The OTP!

Imagine that a card database leaks out and after some attempts, a bot is able to charge your account with, say, Rs. 200 at a time. You will now have to fight to get it reversed, and probably file an FIR with the cops etc. This is a horrendously difficult task in India and you will waste too many days on it.
Plus, you’re going to need an OTP for transactions greater than Rs. 2000 anyhow.
And this won’t make your uber ride any easier. You can’t enter your card details and have them charge whatever they want – the card network login will be needed for each payment (and Uber won’t be allowed to store those details).
It’s just useless then to have:

  • card network login id and password if less than Rs. 2000
  • OTP if greater than 2000

Just keep the darn OTP.
It’s safer too; if you don’t have the card network login, you would be hit if people started taking out small amounts from your account on a regular basis. That will happen if your card is compromised – even a waiter noting down card details will be able to use it later at his house. (With an OTP, or with a card network login, he will need information not on the card so it’s tougher).
If you want to keep getting the OTP, don’t do anything.
If you still want to opt out of this OTP thing, then you have to wait till your card issuer enables the option to opt-out, and then manually create a user name and password at the VISA/MC/RUPAY sites (which don’t have the facility right now). Only then does the OTP stop for small translation.
But our view is that OTP is easier. So don’t opt-out.

  • Ashok says:

    There used to be something called the 3d-secure pin which my ICICI-Visa credit card used to give. This used to be very convenient, especially when travelling abroad and didn’t have access to SMS. ICICI or Visa have stopped this now and now it is only OTP. Damn!!

  • Nemo says:

    The RBI notification doesn’t mention OTP or One-Time Passwords anywhere. What makes you think it is referring to OTPs? Various banks in India already allow switching from OTP to just login-password based systems (AMEX safeKey for eg). That has been already counted as a valid 2FA medium for a long time.
    I don’t see anything in the notification that suggests that it refers to switching from OTP->Logins as 2FA.
    This is the key bit:
    >Customers opting for this facility will go through a one-time registration process requiring entry of card details, etc. and AFA by the issuing bank. Thereafter, the registered customers will not be required to re-enter the card details for every transaction at merchant locations that offer this solution and thereby save time and effort. In this model, the card details already registered would be the first factor while the credentials used to login to the solution (as confirmed by the card network providing the solution) would be the additional factor of authentication.
    “Credentials used to login to the solution” being the key word. I’m assuming this could refer to just plain simple sessions, and allow someone who has already made a payment to just take it through without having to type a OTP or a login password.

    • OTP is one form of AFA (Additional Factor Authentication) which is most prevelant today. RBI doens’t mention OTP because it doesn’t care what AFA you use.
      Yes, some banks have switched to passwords (HDFC Bank’s credit card div has).
      My reading is that login credentials will be required with every transaction. Visa/MC won’t allow you to save it (security risk) so you’ll have to key it in everytime.

  • Nemo says:

    1. RBI doesn’t care what AFA you use (Both OTP and Passwords are allowed)
    2. Login credentials will be required with every transaction. (Which is already true, either OTP/password is required with every transaction)
    How does this change anything at all? The notification becomes an exact copy of the status-quo in that case, no?

  • Sad Guy says:

    strange banks havent bothered to inform their customers about this news nor did the daily digital news papers.
    But you where the first to do so. coooooooooooooooooLL

  • alok says:

    Though OTP is a pain, I still feel it is the safest form of AFA. when its money, i would prefer safety over convenience. At the same time, I believe passwords are more pain than OTP considering every bank / visa / master have own rule of password and with so many different passwords, its highly inconvenient.