MANILA, Philippines (Jun 2026) — That text message with your GCash verification code? It’s going away. Starting June 22, 2026, GCash will fully replace SMS-based one-time passwords with In-App OTPs delivered through secure push notifications directly inside the app.
The move is both a security upgrade and a regulatory requirement. The Bangko Sentral ng Pilipinas has directed financial platforms to phase out SMS OTPs by June 2026 under the Anti-Financial Account Scamming Act (AFASA), a law designed to reduce the growing incidence of digital fraud in the country.
Why SMS OTPs have been a problem
For years, scammers have exploited the way SMS-based OTPs work. Text messages can be intercepted, SIM-swapped, or used as bait in phishing schemes that trick users into surrendering their codes. Because the OTP arrives outside the app, there’s no way to verify whether the message is legitimate.
In-App OTPs close that gap. Verification requests will now appear as push notifications inside the authenticated GCash app, meaning only the person holding the actual device and logged into their account can receive and act on them.
“Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs,” said Miguel Geronilla, Chief Information Security Officer of GCash. “We will shift users to instant, GCash app-verified authentication, to increase the security of their daily transactions.”
What actually changes for users
The practical difference is straightforward. Instead of waiting for a text to arrive and then manually typing a six-digit code, users will get a one-tap prompt inside the GCash app itself. No more switching between apps. No more waiting. No more retyping.
GCash says the system is available for both Android and iOS users, and that the transition process involves simple steps to switch over before the June 22 rollout.
Part of a bigger security push
In-App OTPs are part of GCash’s broader shift toward Multi-Factor Authentication (MFA), an industry-standard approach that layers multiple verification checks to protect accounts even when passwords or MPINs have been compromised. The app already uses Know-Your-Customer (KYC) verification and facial recognition through its Double Safe feature.
With over 94 million registered users, GCash is the country’s largest cashless ecosystem. A security upgrade at this scale affects a significant portion of the Pinoy population that relies on the app for everything from bill payments to money transfers and loans.
For more information on how to prepare for the transition, visit gcash.com.
