Gcash, known as the Philippine “paying treasure”, is strengthening security by introducing a one-time, dynamic password-enhanced security protocol, which is intended to replace the traditional SMS authentication code. It is expected that in the first quarter of 2026, users will receive dynamic passwords directly through the application of internal security notifications instead of relying on text messaging channels.
This shift is mainly aimed at text-messaging the long-standing security risk — fraudsters often hack into user accounts illegally by intercepting text-messaging codes. Sending the authentication request directly to the certified Gcash application ensures that the dynamic password is received and used only by the true account holder. The new feature will also provide a more fluid user experience: the user does not need to switch or manually enter the authentication code from application to application, and can do the instant validation by a single click. The Chief Information Security Officer of Gcash, Miguel Heronilla, stated that the upgrade was a strategic initiative to improve safety by eliminating “sMS-codes of vulnerability to fishing”.
“We will direct the users to the immediate, certified means of identification applied by Gcash in order to enhance the security of day-to-day transactions.” Miguel Helonilla emphasized. The introduction of the internal dynamic password is an important component of Gcash’s multifactor certification system, which also includes existing protection measures such as customer identification and the “double-safe” human face recognition system. The combined effect of these layers of security protection will effectively reduce the risk of account hijacking even in cases where passwords or MPIN payment passwords are leaked.
