NPCI may be planning to dump OTPS and PINS for UPI transactions, may go with bio-metrics

Another very poor decision by npci assuming if it gets implemented.
 
> Initially, both PIN and biometric authentication methods are likely to coexist, providing users with multiple options for transaction verification.

One can hope for these options to stay forever.

> The move towards biometric authentication aligns with the RBI's preference for more secure verification methods to combat financial fraud. By leveraging the built-in biometric capabilities of modern smartphones, NPCI aims to enhance the security and user experience of UPI transactions.

These lines give weird intends....
It will make UPI transactions more easier and secure slightly more, but privacy of individuals will go for a toss, moving citizens inch by inch towards a totalitarian dystopia.
 
Imagine someone sleeping in a bus
A thief takes their phone out of their pocket
Presses the person's finger to unlock it
Presses the finger again to empty their bank account
Bank says the victim is SOL since the transaction was biometrically authenticated so can't be disputed
It would have been more convenient to carry cash in pocket, which can be used even in areas without network

It's mind blowing that every day we move closer to digital thumb impressions, while in rural areas only the illiterate use it.
 
Absurd thread.

How deep is your sleep that someone can hold your finger and press it against your phone and that won't wake you up?

And there's no compromise in privacy. Android doesn't allow apps to access data from the fingerprint sensor. All authentication goes through Android core system APIs. You can only ask the OS to perform biometric authentication and then the OS will tell you if it was a success or a failure.

If UPI uses this, then just like how apps can't ask for PIN and pass it to NPCI, apps will also not be allowed to pass on biometric authentication. NPCIs web page will trigger a WebAuthn request and interpret the result directly.

For those who don't know, the page on which you enter your UPI PIN is not on the UPI app, but an npci webpage displayed using webview APIs of android or iOS. The UPI app never gets your PIN.