The process of securely signing up on UPI, known as device binding, is expected to become largely invisible to users in the next 12 to 18 months, replacing the current flow that requires a SIM-based encrypted SMS to be sent from the user’s device. This comes at a time when industry stakeholders are exploring alternatives to reduce dependency on the SMS channel, and looking for tokenised processes and telecom network-based verification of users.
“There are some experiments happening, but the full movement is at least 12 to 18 months away, provided there are no technical issues. The implementation will be a combination of the current process and the one we are working on, but we believe the system for silent mobile verification is promising,” one of the sources with direct knowledge of the matter said.
NPCI did not respond to Business Standard’s queries on the matter.
Despite the back-end upgrade, existing user onboarding journeys will remain unchanged. Implementation decisions, a source said, were subject to proofs of concept (POC) and the impact it would have on the next 150 million users to be taken onboard the real-time payments system.
Another source said telecom operators had agreed to implement the technology with one POC already completed. The rollout is expected to start from April in collaboration with banks, third-party UPI apps, tech service providers, and telecom operators.
UPI device binding securely links a user’s mobile device to their bank account, ensuring transactions can be initiated only from the registered device. Currently, UPI applications prompt users to send an SMS during the device binding process. However, this is prone to security issues if a device is compromised or the SMS is leaked.
An SMS-less method is expected to solve this problem. It is also expected to drive up success rates and improve the process of user onboarding.
“Instead of sending an SMS, a token will be sent, and as a TSP (tech service provider), this will go to something called a secured URL. It involves a TSP integration where they will integrate with telcos. Telcos will verify the number, and TSPs will call back with verification. The process is completely back-end. It is invisible to the user,” one of the sources quoted above said.
The move is also expected to lower the chances of socially engineered payment frauds where users end up sending encrypted messages, which are supposed to remain private, to fraudsters.
 "UPI device binding, NPCI UPI upgrade, SMS-less UPI onboarding, silent mobile verification, UPI security upgrade, tokenised verification payments, telecom verification UPI, digital payments India, payment fraud prevention, real-time payments India, Na")