Will We Say Goodbye to OTPs in 2026? The Next Authentication Era | Govindraj Ethiraj | The Core

Hi and welcome to the core report special edition heading towards the end of 2025 and on the verge of 2026. One of

the questions that we are all asking ourselves is will 2026 see the end of OTPs or one-time passwords. I know this sounds uneconomic perhaps but it is

almost a bane of our daily existence and linked to it is a technology and regulatory architecture and therefore the question that we should ask about what should change. To do all of that, I'm joined by Prammode VMA, the

co-founder and chief architect of networks for humanity, an international network of laboratories, creating universal technology infrastructure for the AIdriven digital economy. Uh, under

the NFH efforts, Promote created or rather co-created the Finet vision, which is an initiative to build a universal infrastructure that empowers individuals and businesses to unify,

verify, and transact their assets seamlessly. And all of that will become

seamlessly. And all of that will become clearer as we keep speaking. In the

past, Proo has served as the chief architect of Aadhaar, the country's digital identity system which covers 1.4 billion people, the UPI or the unified

payment system, the e-ign, the digil locker, the account aggregator, and the which is the cross- sectoral peer-to-peer commerce network. All of

this promote has been associated with it with and perhaps the best person to first now pose the question will 2026 see the end of OTPs.

Pra lovely to see you again and uh thank you for joining me on this special edition of the core report. So we're

going to talk about uh OTP fees today on one-time password the bane of uh many of our uh combined existences for many years now um let me come to that but let

me first uh try and understand from you the architecture which has led to the need for this. So essentially uh OTPs are a way of authentication and now

increasingly for all kinds of transactions commercial non-commercial banking non-banking OTCs have OTPs have become the preferred way of uh authentication for a lot of service

providers including of course within the financial system. The the flip side is

financial system. The the flip side is that it's also becoming a bit of a problem now or a bane because it's used almost incessantly and we are constantly

trying to receive it. sometimes we don't get connectivity. Uh we are uh we have

get connectivity. Uh we are uh we have to find a way to get get connected because the mobile phone is really the the thing. So there are two or three

the thing. So there are two or three issues here. One is the fact that the

issues here. One is the fact that the mobile phone and the mobile device has become inextricable in the process of authentication. Uh and the second of

authentication. Uh and the second of course is the OTP itself. So uh so tell us broadly uh promote uh what was the uh background to this before we come to

where we are today and what could be the future of authentication >> goind always a pleasure uh been a long time so it's wonderful to chat with you

uh yes I remember our uh conversation during other days about authentication so we are back there I think what 15 16 years later uh talking about

authentication again uh yeah so if If you really look at the broad contours of how do you authenticate a person and how do you

authenticate an entity? How do you authenticate? Things are very different

authenticate? Things are very different ways to do it. But at least how do you authenticate a human being person has been using the three uh type or category

of factors. One the what I know.

of factors. One the what I know.

>> Okay. The what I know factor it's basically typically passwords, pins, uh secret codes, they're all fall into

that category of what I know. And the

second category is what I have. That

means a mechanism to authenticate the position of things that you hold. And

the third category is what I am which is where the biometrics come into play.

That's where I can use face fingerprint and Aadhaar. If you remember even those

and Aadhaar. If you remember even those days we leveraged all three uh to make sure um now the first factor first was

much harder in the case of Aadhar because 1.4 billion people trying to remember password pin is just impossible is very silly to even assume that works.

So we pretty much relied on the other two categories.

Now you can you know almost all authentications can be either single factor authentication or a multiffactor authentication.

Now you to choose a factor from any of these category you know either what I know factor or what I have factor or who

I am factor right so you have to choose one of them and so invariably uh people tend to use what is most

commonly uh popularized or possible in that scenario in that particular scenario so if you look at bank account

ATMs they were giving a card ATM card and they ask you to remember a pin. Now

the card happens to be the what I have factor. So you have to dip the card and

factor. So you have to dip the card and that proves that you have possession of that thing uh that uh you know device or

uh equipment or whatever they have given to you plus the second factor they carry on with what you know what I know which is the pin. So ATMs are typically

two-actor authentication what I have and what I know with other if it is sometimes it's single factor and the choice of single factor or multiffactor

completely depends on the risk perceived risk and the risk of that conducting transaction. It is not by the

transaction. It is not by the authentication provider. It's mostly by

authentication provider. It's mostly by the transacting party deciding that you know if you want to transact 10 rupees maybe the risk is so low single factor is good enough but if you're transacting

100,000 rupees one lakh rupees then they might say no I need to is the risk is high so I need to improve the um potential uh security of increase the

security and hence I need to use multiffactor typically these days a two factor is most preferred by people because one factor continues to be weak.

It gets you know sort of gets broken very quickly or gets stolen very quickly. Right? So um this is the same

quickly. Right? So um this is the same reason why OTPs became popular because if you look at if you want to play with

the what I have category, the only device that is pervasive in

Indian families is a phone. And so it almost tend to be the de facto.

Biometric is another one almost like a human beings carry around you know of course your face you know you can't not have your face and or a fingerprint

typically almost always. So biometric is a very safe one factor because almost everyone has it but you need some device to read them biometric device that's

okay with face it's easier because cameras have become commodity. But if

you want to fall back on the second factor, there is no popular or more you know pervasive

second factor that everyone tend to have and that is only phone and to prove the possession of the phone with you

uh and if you consider inclusion and especially pre- smartphone pre-data almost free cheap data world

if you want to really include everyone in a broad sense then you are left with the feature phone capability at that time without data and that they tend to

be OTP so you the only way you can you know sort of so that's that's a history and that's why you almost always if you want you know a de facto India thing you use a phone number to authenticate

because email is not popular nothing else is popular so you sort of use a phone number and how do you validate a phone number you know just send an OTP.

There's no other way to validate it unless they have a particular app with them that assumes a smartphone that assumes data. Now suddenly the you know

assumes data. Now suddenly the you know user base shrinks. So if you want a all pervasive inclusive you know almost guaranteed that everyone

can do then you are left with OTP.

>> Okay. So I'm I'm going to come to uh what could potentially replace and how this world could go. But before that uh if I could uh you know bring your uh or

rather draw your attention to the larger KYC issue in India and obviously now we're talking more in the context of the financial and banking system. Now KYC is an important thing but the question

increasingly I mean since we're seeing so much of manipulation is whether KYC achieves what it does and uh to that extent is the security and verification

architecture the right one or the most appropriate one. So again given where we

appropriate one. So again given where we are today uh 2025 going into 2026 where do things stand?

Yeah, there are few things that if you know as our you know at least my mentor and you know you know you have been interacting with him as well Nandanda Nelkani keeps saying trend is your

friend. If you really look at the trends

friend. If you really look at the trends where the world is going uh few things are very clear one phase or biometrics

becoming extremely popular for proof of personhood. So I think and with India is

personhood. So I think and with India is blessed with a billion and a half people 1.4 billion people almost everyone having a biometrically verifiable unique

identity. It was serendipity that we

identity. It was serendipity that we started for other reasons but is really coming in handy more and more especially in the world of deep fake and AI and

proof of personhood proving you are even human and pro proving that Indians can do it any day because of Aadhaar right it's there so we this is one trend is

that you biometric and Indians are very capable of doing that because the capability of Aadhaar and others so biometric is a very good trend to latch on to second thing is per pervasiveness

of smartphone and connectivity and that actually shifts the game from OTP to much more smarter app. Uh for example,

today um telco app almost everyone has a telco app. Now in you could bring in a

telco app. Now in you could bring in a much smarter way to actually detect whether you are holding that position.

uh and you can do digital signature, you can do key rotations, you can do many things that feature phones can't do but smartphones can data enabled phones can do right. So you can do a much smarter

do right. So you can do a much smarter way to actually detect position of phone literally on tower by tower basis. If

telos were to also bring into this fold and say can we create the next generation of uh possession proof proof of possession uh and that that is another trend we should leverage

smartphone and connectivity. The first

is biometric and the and the third for sure uh is the fact that the multiffactor authentication is going

towards the you know edges on the devices. Uh we need not look at KYC

devices. Uh we need not look at KYC um as a larger concept. I think we have talked about this in the I know you have been tracking our uh effort called the

fintet if you know some >> in the fintet paper we actually wrote about what's called layered proofing a traditional concept of KYC uh is a very

uniform little bit of a cookie cutter thinking that everybody must do this KYC and then then we had to categorize saying okay we could create a no frill account you remember that discussion

2011 with other no frrill account and then later And then in 200 you know post4 uh where we could you know they said

okay you can actually do a less version of KYC but the notion that there's a one thing called KYC it's actually incorrect. I think that's what we wrote

incorrect. I think that's what we wrote in fet.

We should be able to start with almost zero claims. If I'm transacting one rupee, what is there to prove? What what

is a risk? It is it has to be completely dynamically tunable based on the risk.

That means there is no single KYC you do. You literally enter the system and

do. You literally enter the system and based on the transaction cost what do you call the risk of transaction then the and the counterparty needs or

regulatory needs you prove your claims so sometimes they might say oh hm interesting are you going to transact across the border okay then I need to prove you you need to give me this as

well okay you need to you can literally on demand upgrade the KYC or the what you call ver verification of claims uh

to make sure that okay I am promote okay that's all you need to know easy do I have my do I have a mobile number okay do I have a bank account okay I have

bank account do I have a job do I have a minimum do I have pay taxes what's the tax I pay each of them allows the transaction to be derisk depending on

what the transaction is so I think what we wrote something called a lay concept of a layered proofing which is much more dynamic and fluid

means to think about the whole notion of d-risking a transaction that allows what is advantage of this is that today's world the third trend first trend is

mobile connectivity second trend is of course biometrics and the third trend is verifiable credentials the concept called verifiable credentials which we

began in with digil locker as early as 2015 where all your evidences and claims like you are who you are. You are a you

have a driver's license. Okay, you are an engineering degree holder. Okay, you

worked in this company. You want blah blah blah blah. You are you have a trade license. You have this license to do

license. You have this license to do this you know restaurant license in Bangalore or whatever. Right? Every one

of them is a claim to prove that claim I need some kind of verifiable proof.

Today you can do cryptographically verifiable credentials in the possession of the individuals or a company in a wallet which is what diger or now with

Apple wallet Google wallet global initiatives like that is actually kicking into full stream. If you mix these three, you will find that we are

absolutely at that time where you can actually no more need to create this cookie cutter one-time KYC requirements at all. You

can actually have everyone come in. It's

a powerful inclusion story in global south. Everyone can come in and

south. Everyone can come in and transact. And as they transact more and

transact. And as they transact more and more or high value, high risk, they need to prove more and more that allows

people to join with less friction, less paperwork, less friction, but actually make sure the transactionally they are proving for that particular transaction

because of the risk of the transaction I might have to show four more proofs that for that transaction for the other two transaction I might need. No, it's okay.

I don't need rupt because it's a low value transaction or whatever right so I think this laid proofing is a very powerful global concept that is emerging

and absolutely possible in 2025 to implement it if you were to look at next decade and that's what networks for humanity as part of our efforts today

are driving is the mechanism for every individual in the world to own their own verifiable credentials and data and to be able

prove during the transaction, allow real time proofing of the transaction and then dish the transaction regulatory requirements

without having a cookie cutter costly entry barrier which is what we go through today.

>> Right? So, uh let me pick up on two or three points I one is uh you you talked about layered uh credentials and uh you know when today for example if I'm using

a credit card I'm able to tap uh and do transactions up to let's say 3,000 rupees or 4,000 rupees and there's no further authentication required if I want to do a higher transaction then we

can uh another example uh of a slightly different kind is let's say uh uh using PG locker or Radhaar at the back end but DG yatra which is >> example

>> seamless access into airports again it's only my face it's reading it's not asking me to do anything more than that at least that's the way it seems to be working in most airports that happen so we're already at one level uh

demonstrating that we can do with single factor authentication >> yeah so my question therefore is that if that is the case what will it take to then let's say do the same kind of

layering for more uh things and if for more services or interactions and equally can we then start uh you know maybe reducing the load on some types of

transactions and also create an alternative I mean so let's say I want to log into a website even a normal website if I want to e-commerce website they say okay I'll send you an OTP you

know so uh what could be the solution that is imminent which will remove that hassle because this is typically going beyond the password

>> yeah so I think again if there is a mechanism of an authenticator of tool that is available in the hands of the

user. today why is it possible to

user. today why is it possible to actually in many places today login with Google for for example or go login with Facebook or go login with many of these

things uh web websites that allow you know what's called o like mechanisms is completely shifting that game right

that is already proving to you that once you create and as a user once you create the authentication and take control of the authenticator in your hand, you don't have to keep creating that again,

verifying that again and again. You can

actually authenticate very very rapidly.

Now, if this authenticator is on your smartphone, it even adds even at another level of because without the smartphone, you have a you have you have to prove no

sort of either through password or biometric or some sort of mechanism with your smartphone. You already have this

your smartphone. You already have this is what's happening with UPI. By the

way, many people misunderstand misunderstand UP is a single factor. UP

is actually a two factor without OTP.

UPI is a classic example of a two-factor authentication going on every transaction without violating the regulatory rules conducting payment transaction using two

factor with no OTP right where you end as a user you only enter PIN but the fact that your app app uses a digital signature a cryptographic key and it

keeps rotating the key because you are on a data connected app >> with the because of the app and a smartphone with the data connectivity.

This is you don't you can use cryptographic techniques. So instead of

cryptographic techniques. So instead of you fall back on cryptography and you can then you can say in addition to cryptography which removes the OTP

need you can now say oh you want a two factor enter pin or look at your face and just just connect it. Itself is a two factor for user it looks like one

factor because I just did face but it's actually two factor behind the scene. It

already proved in fact data is a two factor because your boarding pass the possession of travel document is already proven which is why this first factor is already proven and the second factor is

your face >> you being present there that's only so user can look like it's a one factor but behind the scene two factor that's because you're taking advantage of the

trend that most people have a smartphone and connected why are you going to a low common denominator and punishing everybody with OTP right in one sense you know today's world if you fast

forward almost everybody has a smartphone so if 80% of the people have smartphone and apps maybe you need to flip this model now to come back to UPI

like or a DJRA like or you know you can use digil lock login with digil lock whatever popular ones and there are companies also doing many companies doing uh you know without OTP app-based

authenticators in mechanism for them to say okay I've already proven the position and I can cryptographically prove to the site whichever site you're going to commerce site or whatever without again and again coming OTP

coming >> and u you know again to come back to banking and uh banking transactions which is where the maximum load uh and

pain point is uh as I can see uh what then stops banks from let's say adopting a layered approach and I'm talking about when you're doing online transactions not the using the card for tapping and

so on uh and what is it that could give them comfort? Because I sometimes wonder

them comfort? Because I sometimes wonder when I look at all the digital uh scams and the digital arrests and all of that that a lot of our KYC actually doesn't

seem to work when it's supposed to work.

>> Indeed. Indeed. Uh so again it two maybe two reasons the banking sector

is still sort of stuck in that common denominator world is one um we tend lot of you know in our design sessions I tend to come across this

issue as an architect of this I come across like what's called a death by exception so we always have one use case of few people who might not be have smartphone and we say no throw the maybe

out of the with the bath water uh and then everybody goes back to a DB because those five people or five customers can't don't have smartphone. So I think

one of the thing we have to be careful is that if if majority of the people didn't have smartphone let's say five six years ago uh you know common thing

data was just coming in 4G revolution just started you know maybe it's a good argument at that time that we can't force everybody to an app world but 2025

is a different thing I think we today we we banks should look at definitely look at what's how can we protect most common

customers who are using the app which is what your credit card example was by the way because you have today you have credit card apps or whatever the bank

apps with you your ability to readjust the you know tap maximum how much you can tap how much you can five 10 years ago you didn't do any of this because you didn't have an app you didn't have

anything so you had no mechanism to easily rejust no lock temporarily pause lock all that thing you know I casually use that when I travel abroad, I lock international, I come back, unlock

international. So easy. It's the power

international. So easy. It's the power is given back to you, right? That's a

very good argument today. The bank

should look at smartphone banking apps as a means to authenticate, not OTB as a means. They can pop up literally saying,

means. They can pop up literally saying, okay, are you authenticating reconfirm or whatever, right? You all connected apps. Everybody's connected and we all

apps. Everybody's connected and we all we are their customers. We have their app. So one way to think about it is to

app. So one way to think about it is to how do we protect people who have smartphones which is majority becoming almost a majority today with a higher

security and more convenience. So

without diluting security which is UPI story without diluting security how can we bring convenience for the people who are smartphone but you also have this argument that people there are many

users who who are still web users they may not have an app they are assisted users they'll come so for those people you still have to treat and but you don't have to punish everybody for that

right you can still make sure inclusion angle is taken care but while um protecting or giving convenience to most people who are in the smartphone world.

So if you look at the latest launch of the net banking the banking connect net banking reimagined complete reimagined net banking which global fintech festival npci demonstrated uh it's

completely like up net banking has never been that easy so easy for you know net banking otherwise convoluted right it goes here again and come back and

redirection and it just keeps breaking uh all that be redesigned so it might be two or three reasons why banking one you know death Why exception argument I think we should get out of it. Second,

it's just that somebody has to take a somebody has to concerted effort to like UPI and NPCI. So people like NPCI can actually bring the saying can we provide a much smarter authentication mechanism

to the whole banking world. I think they can take a facilitate this conversation otherwise one bank alone may not rise up to do this. And the third regulatory blessing our Indian system is that

regulatory is so strong that with regulator blinking or smiling they won't do anything you know in the sense that so you need some signals from the

regulator saying time has come for reimagining OTP and security of KYC if that can come from regulatory side and

if NPCI like facilitation effort can happen all of us can volunteer as well as part of as always we did with the design I think it's time we should definitely look at it hopefully your

podcast triggers some thoughts >> right so you know uh let me take you to the sort of larger KYC architecture question now you know when we uh open accounts of course in some cases we're

able to open accounts with a video KYC and uh let's say an Aadhaar KYC and so on I mean particularly credit cards some kinds of bank accounts and so on but for a large part of transactions again

financial we are filling up form after form signing in 20 places in a 30page form and there are many forms particularly if you take loans. So what

as you look ahead what is the kind of uh is there are there solutions for this kind of uh you know uh let's say uh barriers to ease of doing business or

ease of taking loans or ease of giving credit even it's equally painful I would imagine for the bank to sit with you as they do uh you know with a you know 30

40page document and then many more documents where you keep signing and then there's all that effort going in.

So can what is what's the future looking like there?

>> It's a wonderful question.

It amazes me by the way even today that India launched e-ign in 2014. We

launched digil locker in 2014.

E-ign has crossed 1.5 billion. Eigns

today still I would presume much to adopt for uh diger has 9 plus billion credentials 550 million users. What is

it? And account aggregator has come for unlocking data um sharing of data, financial data for lending and other purposes. For example, even then I think

purposes. For example, even then I think our banking systems tend to be exceptionally conservative uh in three things, right? collecting

information, collecting information about you, which could be transaction information or profile information typically, right? Or your profile and

typically, right? Or your profile and other data. They recollect collect again

other data. They recollect collect again and again and again and they keep collecting that. Second,

collecting that. Second, they tend to still fall back on paper for almost all except for many low

except maybe for low value transaction.

Most of the people get hit by some paper filling form and wet signature. Although

IT act was in 2003, India was so ahead in our IT act thinking that except will and property rights or something property transfer pretty much everything is digital signature is legal. They just

be clear that digital signature is perfectly okay if you can exact equivalent to V signature 2009 we upgraded 2008 we had an upgrade of IT

act e-ign was launched in 2014 1.4 4 billion people can e sign it even then today two two days ago for example 4 days ago I did a you know

account opening for my some investments I had to fill physical forms paste photographs and then they scanned all of them and asked me to e-sign the again

whole thing I said why did I have to fill up this after you already knew I mean it didn't make no sense it makes no sense to them it no makes sense to customer funny thing it

It is everybody knows this is sort of silliness is happening and also high cost the cost incurred in the system due to this work it's delay time delay

paperwork you know cost of paper processing people coming home collecting paper going back and forth is just ridiculous India has all legislative

legal technological and proven back backbones India with India stack that we can completely get

rid of this completely without diluting audit requirement verification requirement

without any you know KYC dilution nothing is needed so we are not making an argument to dilute we are simply

making an argument to go not digitize it that is what I did basically fill up the form and they scan the document sign it but go digital native. So how can

India's perfectly ready to go digital native because of our strong DPI efforts of the last 15 years India took through and 10 years especially we are I think

it is just one of those things that waiting to happen I do I don't expect one bank to make this move it has to be a collective

effort by the community and the regulator stepping in and say in this is this ought to stop because problem is that extreme conservative layers are

getting applied right uh compliance officers this officers all these guys are covering their neck in one sense saying why am I taking the risk just take one more physical copy also so

they'll do Aadhaar resign they'll do Aadhaar OTB they'll do Aadhaar everything then collect a photocopy of Aadhaar also so it's a why do you

already have a EKYC done fully digitally cryptographically encrypted and protected. No, no, no. Just in case,

protected. No, no, no. Just in case, just collect photo. So, it's one of those long decades long or maybe even centuries long, right, of habits that is

refusing to go. This can go not by natural death. The natural death might

natural death. The natural death might take time. It has to be a little bit

take time. It has to be a little bit forced by the regulatory and leadership.

I think the regulatory and the um top level political leadership must take cognizance of this fact that India

incurs enormous cost in doing this. If

you look at MCA filing, it's the same thing. Companies I sign as board member

thing. Companies I sign as board member >> physical paper, they core it to me, I send it to them, they scan it and upload to MCA. They could have sent me a PDF. I

to MCA. They could have sent me a PDF. I

could have e-signed it. It's completely

under the IT act legal and valid and everybody has a copy also still conservative mechanism. No, who will

conservative mechanism. No, who will make the call? Who will bell the cat?

You know, so it's one of those things.

So I think regulatory authorities and our ministries have a responsibility here to actually take a forceful shift without waiting for the world to shift.

World will eventually shift. give 10 15 more or maybe our children, grandchildren will eventually not see paper but that is not the point right India is brilliantly set up to actually

make this happen without single thing being diluted in fact I would say I would say it's strengthened because this paper copies carried by career companies

and people and photocopies are much more vulnerable to fraud and the theft of personal data than encrypted end to end encrypted digitally signed proofs that

bank has. I'm much better comfortable

bank has. I'm much better comfortable than sending copies with all people. I

don't even know how many people are making copies of these forms, investment forms and so on. Right. So I think it's time has come. It absolutely ought to come from top. It won't come naturally

from the bottom. It'll come slowly from the bottom.

>> Yeah. And and I think two points you made. One is the fact that uh digital

made. One is the fact that uh digital signatures or e signatures are uh are are completely accessible and used and can be used by anyone and everyone and

more importantly as you said it has the regulatory and the uh legals up for it which really even if we know we're not obviously putting fully into practice and that's quite evident the

next time I go and take a car loan or a house loan or whatever it is.

>> Okaydeed. So uh as we look ahead uh promote so we started with OTPs because that's the manifestation of the problem at the retail level and then we talked

about the larger KYC architecture uh for a for a country like India. So uh two questions. So one is uh if you were to

questions. So one is uh if you were to look at other countries or other systems, what's the kind of uh KYC architecture that you see as ideal

optimum for us which we can either borrow or if we've already ahead in many parts of that race then how do we innovate faster and and where could we

innovate and uh let me come to the second one after that. So um I have seen I I know we we look at several countries

and we already speak to as part of many of the DP initiative many of us speak to 40 50 countries we analyze as part of the fintet and other efforts we analyze

variety of countries you know regulatory readiness technological readiness ecosystem readiness and so on especially in the

financial industry India is absolutely ahead head. It's just crazy the

ahead head. It's just crazy the investment that we had made serendipity playing out again and again you know but in the last literally in a decade what

we have pulled off here unlocking data unlocking dig identity of course for everyone unlocking smartphones and 4G and uh it just and then now tax credits

are digital everything is almost all proves with dig locker everything else it is so perfectly set for India to continue to cruise ahead. India is

ahead. No question about it. What India

is not ahead is in the boldness of making some of these reforms. We are we because viety of reasons I presume we are I'm not a regulatory

expert or a reform expert but I would from a user point of view I see we could have been much more bullish uh going for this because Indian are young digital

and aspirational okay they are ready for it. I think we are just not bullish

it. I think we are just not bullish enough to make these calls um because of the diversity largestess and you know I

think we have bigger problems to solve I presume for everything else going on uh this seem to be low priority.

No other country has a technological or legal backing and the one a billion people population scale infrastructure

that India has laid no one has this kind of fulls entire stack fully ready for a whole population I what I see difference

is the boldness under which you know innovators can innovate innovators are not bold enough to innovate here because the regulator especially financial

industry regulation is so strong, regulatory is so strong without them do signaling something they will not innovate because they'll get beaten up you know that's where it get different

so because of that it gets harder for someone to prove to you that this can be done so this has to be slightly top down in India and more concerted effort to

shift uh than you know like in the US for example innovators private innovators can just show it to you and later get blessing from the regulator later like the stable coins and everything else are going on right so

you know there's no paper in the US there's hardly any of this but there are less paperwork there because that just allows technological innovation to drive and figure it out I think here we are

lot more conservative lot more top down in the financial sector from the regulator onwards uh so maybe this such efforts have to be also very correct

concerted and conscious top- down effort to shift the momentum we have seen this before, right? RBI has done this before

before, right? RBI has done this before uh with uh KYC, digital KYC, KYC, SEBI has done this saying that entire mutual fund investment put a limited amount

below can be completely digital which is why the explosion of uh you know SIP investments you know the zerodas and the grows and all this the growth of them all the are reflective of what the

regulators have already done but I think we could do lot more if you simply look at our paper paper form filling and data collection uh just to get rid of that

stop collecting the data again and again simply use existing dig locker and other mechanism to prepopulate or autopop populate your form and the second simply

do a digital signature native digital stop printing maybe in a mandatory go paperless drive has to happen and then it'll shift it'll because it's just

waiting for somebody to just say okay to do So uh last question promote so you know we started by asking whether uh we can say goodbye to OTPs in 2026 uh and let

me come back to that now uh I think you've given us a pretty good sense on what the uh the regulatory authentication architecture is like in India and advanced as it is uh this is

one sort of pain point that we still have to work on. So your last or final thoughts on this >> very interesting possibility happens happened in 2025 and if you play this

well within the ambit of privacy and choice and everything else it's not that it has to be no we should not go try mandating mandating everything to everybody people have to have a choice if people want to

get OTP let them get OTP that's not the point >> in you after 15 years UID launched

a selfservice uh it's called an Aadhaar app >> which has a full-fledged verifi globally compliant standards for verifiable

credentials and a built-in phase authentication that means without you proving anybody to anyone else they can send a request to you and you can just literally say and it'll give you a

digitally signed token only a token back to that site website or an app saying that oh yes promote the goind has been authenticated and as per UIDI digitally

signed so they can choose the proof to say yeah it's been done so lot of things and this is on everybody's phone literally with a camera and it

brilliantly works because it's a face is one is to one right you are already have your face with other so you're able to do with digital binding to your device so it's actually two factor

authentication playing out at 1.4 4 billion people scale and the app is not direct and the app is built in such a way families can use. So if a family has

one smartphone the family members can onboard their authentars into the wallet >> and the Aadhaar app. So even my my family my children are in my my app you

know they it's not in their app but that's okay because now she can go if you are a school admission the child you don't in OTP you literally can do an authentication in your house in your

phone without sharing your credential with anyone that means zero privacy violation zero data sharing completely digital population scale doable and this

happened in 2025 the launch happened literally 2025 and face authentication is proving out to be so successful that hopefully 2026 a bunch of workflows can actually shift whether every website

will start using is a questionable we don't know but most at least regulatory most good sites and most good regulated environments can all shift to face off

literally that means whole world whole country can use it it's very powerful even if I don't have a phone think about it yeah my grandmother can actually use because she doesn't

have a phone but she can be on my phone because she has an other that's powerful and she has a face so it's really powerful even more inclusive I would

argue that no DP so hope >> yes absolutely and and uh we we surely hope 2026 we'll see some uh new

regulatory authentication architecture which will make all our lives simpler more meaningful and of course save a lot of time uh and bring more ease of doing business and ease of leading our daily

lives. On that note, Promo, thank you so

lives. On that note, Promo, thank you so much for joining me today on this conversation.

>> Thank you Gohan. Pleasure. Absolutely.