PayPal executives explain what comes after OTP — the way you type or hold your phone could be the 'digital signature' of the future

Guru Bhat, the General Manager at PayPal India and the company’s chief technology officer Sri Shivananda explain how ‘kinetics’ is the next threshold for payment companies to keep fraudulent transactions at bayUnsplash
  • SMising is becoming more prevalent, as highlighted by the coronavirus lockdown, which means one-time-passwords may not be enough to keep hackers at bay.
  • Guru Bhat, the General Manager at PayPal India and the company’s chief technology officer Sri Shivananda explain how ‘kinetics’ is the next threshold for payment companies to keep fraudulent transactions at bay.
  • The problems with using OTPs extend beyond the cybersecurity landscape, with a higher chance of transactions getting abandoned midway, creating a demand for seamless multi-factor authentication.
Users in India believe that their online transactions are largely safe because we have a strong system of two-factor authentication in place. However, with phishing — especially SMishing — on the rise, this may no longer be the case. Hackers can gain access to your phone, and, in turn, all your messages, including incoming one-time-passwords (OTPs).

So, what do you do when the one sure-shot method of protecting your online payments might get compromised? ”The way you hold your phone, the pressure that you exert when you’re typing on the keyboard and other things — these are multiple hidden factors that will give you the same result as an OTP,” said Guru Bhat, vice-president of the Customer Success Platform and general manager at PayPal India.

Most smartphones today come equipped with a host of sensors. The screen Gyroscopes can measure the orientation of your phone. Accelerometers can determine how hard you’re hitting your keyboard. And, advanced haptics can even determine how hard you’re holding your phone.


These factors come together to determine a person’s digital signature through what is called ‘kinetics’. “You take the fact that an individual is associated with a device and the individuals’ use of a device itself has a signature. And, you use that signature as a part of the claim that the individual is who they claim to be,” explained Bhat.

Where do you draw the line?
While multi-factor authentication could facilitate seamless transitions, companies will also have to determine where to draw the line since microphones and facial recognition are also factors than need to be taken into account. While they may be more efficient than other methods to authenticate a person’s identity, they end up falling on the other end of the privacy spectrum. “It’s going be a mix of human intelligence and machine intelligence, where the magic actually lies,” said Bhat.

It’s not something that is used by payments platforms just yet, but it’s definitely something that’s on the horizon. “Soon enough, we’ll get to a place where seamless transactions and convenience will all be based on implicit multi-factors, from various different things,” said Sri Shivananda, senior vice president and chief technology officer at PayPal.


The obstacles with OTPs go beyond security
Until multi-factor authentication comes in, OTPs are still the best option that users have at their disposal. “There are other methods of secure communication that can happen. But, during the bridge, this is the best course that companies are able to take,” Shivananda explained.

However, OTPs are not only a worry with respect to security as the hackers get cleverer but also with respect to transaction drop rate. “Does two-factor authentication improve the security and safety of a transaction — absolutely, yes. And, at the same time, does it add friction to it and does the conversion rate for a merchant actually drop — absolutely, yes,” he added.

From the time that you initiate a transaction to when you complete it using an OTP there are many things that can go wrong. Network connectivity could fall through, you might enter the incorrect six-digit code, somebody might call you away in the middle of the lengthy process causing the transaction to time or you might simply, just lose interest.


For now, payment companies like are using artificial intelligence (AI) and machine learning (ML) to track where potential attacks could emanate from. “Through what we call defence-in-depth and layered security, we apply protection on your device from within the app — on the network edge, rate-limiting infrastructure, the right kind of cryptographic infrastructure, and so on,” explained Shivananda.

MS Dhoni-backed Khatabook adds to its line-up of star investors ⁠— Sequoia and Tencent get more stake in India's largest small business app

Faizal Siddiqui’s TikTok acid attack video is adding to the growing list of problems for the platform in India

Tiktok got 4 million comments on Google Play Store dragging down its rating to 1.3⁠ — but it may not disappear yet