If you use GCash — and if you are Filipino, there is a very good chance you do — something changed on June 22, 2026.
The text message with your One-Time Password? The six-digit code that arrives via SMS every time you log in or confirm a transaction?
It is being phased out.
Starting June 22, GCash replaced SMS-based authentication with in-app One-Time Passwords delivered through secure push notifications directly within the app. Mynt
You no longer wait for a text. The OTP comes to you inside GCash itself.
This is not a minor update. It is the biggest change to how GCash verifies your identity since the platform launched. And understanding why it happened — and what you need to do — matters for every Filipino with a GCash account.
Quick Answer
What changed: GCash OTPs now arrive as push notifications inside the app — not via SMS text message.
When: Fully rolled out June 22, 2026.
What to do: Enable push notifications for GCash on your phone right now.
Why: BSP required all digital payment platforms to phase out SMS OTPs by June 30, 2026 under the Anti-Financial Account Scamming Act (AFASA).
Why SMS OTPs Were Always a Problem
To understand why this change matters, you need to understand why SMS OTPs were always a weak security layer — even if they felt secure.
When GCash sends an OTP via text message, that code travels through the mobile network infrastructure before it reaches your SIM card. That journey — from GCash's servers through the telco network to your phone — has multiple points where it can be intercepted.
The most common attack is called SIM swapping — where a scammer convinces a telco to transfer your phone number to a SIM card they control. Once they have your number, every SMS that goes to your number — including your GCash OTP — goes to them instead of you. They have your password from a phishing attack. They have your OTP from the SIM swap. Your account is gone.
The second common attack is SS7 exploitation — technical vulnerabilities in the signaling system that mobile networks use to route messages, which can allow interception of SMS messages including OTPs. This is more sophisticated but has been used in targeted financial fraud cases.
The third is simply smishing — SMS phishing — where scammers send fake messages pretending to be GCash, get you to enter your OTP on a fake website, and use it to authorize transactions on your real account.
For years, SMS-based OTPs have been one of the most commonly exploited entry points for scammers attempting to gain unauthorized access to user accounts.
The SMS OTP was always the weakest link in GCash's security chain. The platform just needed a better alternative before removing it.
What In-App OTPs Actually Do Differently
Instead of waiting for a text message, users receive OTPs through secure push notifications inside the authenticated GCash app.
Here is the specific security improvement this creates:
The push notification goes to your GCash app — which is tied to your specific device, your GCash account, your KYC-verified identity, and your phone's hardware identifier. A scammer who has your password and your phone number cannot receive your in-app OTP unless they physically have your phone and can unlock it.
SIM swapping becomes useless. There is no SMS to intercept. The OTP never travels through the mobile network at all — it goes directly from GCash's servers to the authenticated app on your specific device.
The immediate one-tap authentication mechanism eliminates the need for users to switch between applications or wait for text messages to arrive.
You see the push notification. You tap approve. The transaction goes through. Done — faster than typing a six-digit code from a text message, and significantly more secure.
The Law Behind the Change — BSP and AFASA
This did not happen because GCash decided to upgrade on their own timeline.
This move complies with the directive of the Bangko Sentral ng Pilipinas to phase out SMS-based OTPs by June 30, 2026. The measure aligns with the Anti-Financial Account Scamming Act (AFASA), which aims to strengthen cybersecurity safeguards and curb the growing incidence of digital fraud.
AFASA — the Anti-Financial Account Scamming Act — is a Philippine law specifically targeting the mechanisms that scammers use to drain Filipino bank accounts and digital wallets. One of its key provisions mandates that financial platforms move away from SMS-based authentication by a specific deadline.
June 30, 2026 was that deadline.
GCash's June 22 rollout gives users a week of buffer before the BSP deadline. Every other BSP-regulated financial platform in the Philippines is under the same requirement — which means if you use other digital wallets, mobile banking apps, or payment platforms, expect similar changes across the board.
What You Need to Do Right Now
The transition is automatic on GCash's side — but there is one thing that depends on your phone settings that could break the experience if you do not check it.
Enable push notifications for GCash.
GCash is urging users to ensure that their device's push notifications are fully enabled to avoid any disruption to transactions and account activities. Mynt
If push notifications for GCash are turned off on your phone — you will not receive your in-app OTP. The notification will not appear. Your transaction will not go through. And you might think something is wrong with your account when the actual issue is a phone setting.
On Android:
Settings → Apps → GCash → Notifications → Allow Notifications → Turn On
On iPhone:
Settings → GCash → Notifications → Allow Notifications → Turn On
Check this now. Not when you are in the middle of a GCash transaction and the OTP does not arrive and you are standing at a cashier. Now.
The New Experience — What It Looks Like
When you initiate a transaction that requires OTP verification on GCash:
Instead of the screen saying "Please wait for your OTP via SMS" — you will see a push notification appear on your phone from GCash. Tap it. You are brought directly into the app to a verification screen. Confirm with one tap. Transaction approved.
If you are already inside the GCash app when the OTP is triggered — the verification screen appears directly within the app flow. No switching apps. No waiting for a text. The whole process is seamless and significantly faster than the SMS version.
What About Users With Weak Internet or Signal?
This is the practical concern I see Filipinos raising — and it is a fair one.
SMS OTPs worked even on basic signal because text messages route through the cellular voice/SMS infrastructure which operates on lower bandwidth than data. In-app push notifications require a data connection — WiFi or mobile data — to arrive.
If you are in an area with poor data signal and no WiFi — the push notification may be delayed or not arrive immediately.
GCash has not yet publicly detailed an offline fallback mechanism for this scenario. My practical suggestion: for GCash transactions that matter — ensure you have a stable data connection before initiating them. In provincial areas with inconsistent signal — use WiFi when available for GCash transactions going forward.
This is the honest limitation of the in-app OTP system that most tech blogs are not mentioning. It is a real consideration for Filipinos outside Metro Manila. Including those of us in Surigao City.
The Bigger Picture — Philippine Digital Finance Growing Up
This change is part of a larger shift in how Philippine digital finance is maturing.
The BSP's AFASA directive applies across all regulated financial platforms — not just GCash. Maya, bank mobile apps, digital wallets, and other payment platforms are all moving toward stronger authentication standards under the same regulatory framework.
The mid-year bonus ATM congestion story I wrote recently — and the eGovPH outage — are all part of the same larger story: Philippine digital infrastructure is growing rapidly, regulation is trying to keep pace, and the weaknesses that scammers exploited for years are finally being systematically addressed.
SMS OTPs were exploitable. They are being replaced. That is progress.
The execution — specifically whether users in areas with poor data connectivity are properly supported through the transition — is the part that still needs watching.
Disclaimer: This post reflects publicly available information about GCash's June 2026 OTP transition as of the date of publication. GCash features and policies may change — always refer to the official GCash app and gcash.com for the most current guidance.
Before I Close This Tab
The SMS OTP served Filipino GCash users for years. It was familiar. It felt secure — even when it technically was not.
The in-app OTP is more secure. Faster. Simpler once you enable the push notifications. And legally required by the BSP under AFASA.
The change is done. June 22 has passed. The text messages are going away.
The one thing standing between you and a smooth GCash experience going forward is a notification permission in your phone settings.
Check it now. Your future self standing at a cashier waiting for an OTP that never arrives will thank you.
-Mavs
0 Comments