Starting June 22, 2026, GCash users will no longer receive authentication codes via text message. The country's leading digital wallet is completing its transition to in-app one-time passwords delivered as push notifications directly through the GCash app — and once the switchover is done, SMS OTPs will stop working entirely.
The move satisfies a Bangko Sentral ng Pilipinas directive under the Anti-Financial Account Scamming Act (AFASA), which mandates that digital financial platforms phase out SMS-based authentication by the end of June 2026. GCash's rollout has been underway since earlier in the year; June 22 is the final completion date.
The practical change is straightforward: instead of waiting for a text message and typing in a six-digit code, users receive a push notification through their GCash app session. One tap confirms the transaction. No switching between apps, no manually entering numbers.
The security benefit is more significant. SMS OTPs have long been vulnerable to phishing, SIM swap attacks, and social engineering — scammers call customers, impersonate bank representatives, and trick them into reading codes aloud. In-app OTPs are tied to an authenticated device session and cannot be intercepted via the phone network.
GCash Chief Information Security Officer Miguel Geronilla explained the shift directly: "Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs. We will shift users to instant, GCash app-verified authentication to increase the security of their daily transactions." Geronilla added that multi-factor authentication "greatly reduces the risk of account takeovers, even if passwords or MPINs are compromised."
The one action users need to take before June 22: make sure push notifications are enabled in iOS or Android device settings. Without that, authentication requests will not arrive.
In-App OTPs integrate with GCash's existing Double Safe framework, which includes KYC identity verification and facial recognition. The company positions the switch as part of a broader security strategy rather than a one-time compliance checkbox.
Sources: