Opinion Five OTPs before breakfast — and why that’s a problem

The humble OTP — One Time Password — was once a clever, additional layer of security. Today, it has become another word in the daily digital noise, so much so that its psychological weight has all but vanished. We now treat OTPs like throwaway codes, not security keys. And this complacency is proving expensive.

The numbers talk

Linked with the digital transformation of the Indian economy is the unfortunate rise in financial fraud through digital channels. According to a recent reply to a parliamentary question, the government said that citizens reported losses of over Rs 22,845 crore to cyber financial frauds last year, which marks a 206 per cent surge from the Rs 7,465 crore losses reported in 2023. A mammoth share of this is linked to digital payment scams of one type or another, but which invariably involve the victim sharing OTPs with scammers, often without fully processing what transaction is underway. These are, in effect, crimes based simply on habit exploitation; scammers rely on the fact that Indians enter or share OTPs multiple times a day.

Why OTPs Are Failing

OTPs, originally conceived as an Additional Factor of Authentication (AFA), were designed for a specific purpose: To provide a layer of security beyond static passwords. But in practice, they are now used for almost everything from innocuous everyday tasks like receiving online deliveries and OTT logins to serious stuff like Aadhaar authentication, ITR filings and bank payments. In this environment, OTPs have lost their aura of caution. They are no longer red flags; they are just another mundane everyday part of our digital life. Worse, the term “OTP” itself conveys a sense of something temporary and disposable. It sounds more like a code handed to you by a service provider than a key you must guard.

A Small Word, a Big Difference

It is in this background that one needs to think of a solution that can, in the absence of a breakthrough technological solution, address this epidemic, at least, partially. What if the term “OTP” were replaced with “FTP” — Financial Transaction Password — to be exclusively used for all transactions which would lead to an actual money transfer from one’s bank account. After all, numerous studies in behavioural economics have shown that small changes in language and framing can significantly influence behaviour. FTP would distinguish this from the usual OTPs of the day, signalling to the user perhaps greater gravity and caution when sharing it.

The first step could be reserving FTP for financial transactions only.
Banks and payment system interface can mandatorily shift to using FTPs when authenticating money transfer instructions — whether via UPI, card-not-present payments, NEFT/IMPS transfers, or similar debit operations. All other institutes can continue using OTPs for non-financial activities. This has the effect of neither disturbing commerce terminology that the public has gotten used to, but also in fact raises the status of FTPs, as something separate and strictly financial.

If, through smart outreach, we can raise the profile of FTP to the same importance we afford an ATM PIN, perhaps this could be a low-cost, high-impact change. It doesn’t require new encryption protocols or complex backend overhauls. It simply uses a terminology shift to trigger better human behaviour.

The Role of Regulators

The RBI and the National Payments Corporation of India (NPCI) can play a catalytic role by issuing guidelines to standardise this terminology across the banking ecosystem. Just as India set global benchmarks in digital payments through UPI, we can set a behavioural benchmark by upgrading our language of security.

Banks and fintech companies can run joint public awareness campaigns — much like earlier KYC and UPI campaigns — to help users understand the difference between OTP and FTP. Over time, this distinction will embed itself in public consciousness, just like “PIN” and “password” are now clearly differentiated.

One of the most monumental reforms of the decade and a matter of collective national pride is the incredible rise and rise of India’s digital payment revolution. Against all odds, the vision of our political and technology leaders has changed the digital landscape of India, in effect, leading to greater formalisation of the economy while reducing transaction costs incredibly. To augment this system and make it more secure, India does not need to wait for the next big encryption breakthrough.

In my professional life, I have faced the unfortunate reality of seeing how the misuse of OTP by scamsters has caused financial havoc to people’s lives. Behind the statistics of lakhs and crores lost to digital frauds every day are heart-wrenching human stories of turmoil, the darker side of online convenience.

The OTP is no longer the trusted guardian it once was. It’s become a routine, dull buzz in our digital lives. By introducing a separate terminology like FTP — Financial Transaction Password — and reserving it for specific financial transactions, we can restore seriousness where it’s needed most. After all, in cybersecurity, technology may matter, but in life, more often than not, words matter. They shape perception and trigger psychological cues.

The writer is an Indian Revenue Service officer. Views expressed are personal.