Saturday, February 21, 2026 | 10:01 AM ISTहिंदी में पढें
Business Standard
Notification Icon
userprofile IconSearch

Security upgrade: SMS-less UPI signup may be launched by next year

NPCI is working on an SMS-less, silent device-binding process for UPI to improve security and onboarding, with rollout expected over the next 12-18 months

UPI device binding, NPCI UPI upgrade, SMS-less UPI onboarding, silent mobile verification, UPI security upgrade, tokenised verification payments, telecom verification UPI, digital payments India, payment fraud prevention, real-time payments India, Na
premium

Ajinkya Kawale Mumbai

Listen to This Article

The National Payments Corporation of India (NPCI) is in talks with telecom players, technology service providers, and payments firms to change the way users sign up for the Unified Payments Interface (UPI), by upgrading the device binding process for the home-grown real-time payments system, sources in the industry told Business Standard.
 
The process of securely signing up on UPI, known as device binding, is expected to become largely invisible to users in the next 12 to 18 months, replacing the current flow that requires a SIM-based encrypted SMS to be sent from the user’s device. This comes at a time when industry stakeholders are exploring alternatives to reduce dependency on the SMS channel, and looking for tokenised processes and telecom network-based verification of users.
 
“There are some experiments happening, but the full movement is at least 12 to 18 months away, provided there are no technical issues. The implementation will be a combination of the current process and the one we are working on, but we believe the system for silent mobile verification is promising,” one of the sources with direct knowledge of the matter said.
 
NPCI did not respond to Business Standard’s queries on the matter.
 
Despite the back-end upgrade, existing user onboarding journeys will remain unchanged. Implementation decisions, a source said, were subject to proofs of concept (POC) and the impact it would have on the next 150 million users to be taken onboard the real-time payments system.
 
Another source said telecom operators had agreed to implement the technology with one POC already completed. The rollout is expected to start from April in collaboration with banks, third-party UPI apps, tech service providers, and telecom operators.
 
UPI device binding securely links a user’s mobile device to their bank account, ensuring transactions can be initiated only from the registered device. Currently, UPI applications prompt users to send an SMS during the device binding process. However, this is prone to security issues if a device is compromised or the SMS is leaked.
 
An SMS-less method is expected to solve this problem. It is also expected to drive up success rates and improve the process of user onboarding.
 
“Instead of sending an SMS, a token will be sent, and as a TSP (tech service provider), this will go to something called a secured URL. It involves a TSP integration where they will integrate with telcos. Telcos will verify the number, and TSPs will call back with verification. The process is completely back-end. It is invisible to the user,” one of the sources quoted above said.
 
The move is also expected to lower the chances of socially engineered payment frauds where users end up sending encrypted messages, which are supposed to remain private, to fraudsters. 
 
Security upgrade 
  • Industry exploring SMS-less flows for UPI device binding
  • Verification process expected to largely move to back-end
  • Aim to eliminate device risks, auto-forwarding of SMS information
  • Rollout likely over 18 months; to be a combination of current method and new silent mobile verification