UPI payments through biometrics likely soon; PIN may become optional

Unified Payments Interface (UPI) users may soon be able to authenticate transactions using biometrics, such as facial recognition and fingerprints, as an alternative to entering a personal identification number (PIN), according to industry players. 

The National Payments Corporation of India (NPCI) is preparing to roll out this update to UPI, which is expected to enhance security and convenience. The move comes amid growing concerns around PIN theft and fraud and at a time when UPI accounts for over 80 per cent of digital transactions in the country. 

Sources confirmed that the NPCI, which has been working on the feature for over a year, has shared the details with UPI ecosystem participants for review, feedback, and to ensure their readiness ahead of a potential rollout. A demo is likely to be showcased at the 2025 Global Fintech Fest. 

A source who did not wish to be named said the feature was still a ‘WIP’ (work in progress). “It is a matter of having additional security that is better than a one-time password (OTP). The implementation is subject to approvals from the Reserve Bank of India, the NPCI steering committee, and the ecosystem at large,” the person said. 

An email sent to the NPCI did not elicit a response till press time. 

“The priority is face recognition-first. If it is enabled on your device, it will process face IDs for validation,” an executive at a payments firm said, requesting not to be named. 

In the first phase, the authentication mechanism will rely on biometric data already stored on a user’s device. The system will generate an encrypted key based on the biometric data, which will be passed to the remitter bank (the user’s bank) for final verification. The NPCI’s common library for UPI will handle this encryption process securely. 

“It is more like a private key stored in the device. Some value will be encrypted to it and a public key is generated, which can be sent for validation to the remitter bank. The transaction will go through after the key is verified,” a source explained. 

A remitter bank is the user’s bank account from which a transaction amount is debited. 

Industry sources said the feature, in many ways, would be safer than traditional one-time passwords or PINs. “A user’s biometric details will not flow through the system due to sufficient encryption. It is the public key, which is a value that has already been encrypted, that gets exchanged between the systems,” the person explained. 

Biometric authentication, as an alternative to PINs, is expected to enhance security, addressing issues such as forgotten PINs, repeated or weak patterns, and vulnerabilities to screen mirroring exposed through malware attacks. 

During the initial rollout, biometric-approved transactions may still retain PINs as a fallback option. There is a possibility that transactions executed through biometrics may carry value limits for added safety in the early stage. 

While the entire authentication process is, in some ways, fundamentally similar to processing a PIN, the use of biometrics enhances the user experience.It is, however, not clear whether biometric-based authorisation will need to be set up separately for each of the UPI apps, such as PhonePe, Google Pay, Paytm, BHIM, and others.