So OTP is fine, but biometrics is better ?
This is clearly a push to get to using biometrics. The issue remaining the same : I can't change my face if the database gets hacked, and we all know that it will.
Leave my face alone.
India's central bank on Wednesday proposed a requirement for dynamically generated second authentication factors for most digital payments. "Reserve Bank of India had mandated additional factor of authentication (AFA) for all transactions undertaken using cards, prepaid instruments and mobile banking channels," explained the …
I can't say for sure what this system entails, because of course, they haven't even decided yet, but most biometric systems don't work that way. In most systems, your face/fingerprint/whatever (voice being the obvious exception to this rule) never leaves your local device (phone, tablet, pc...). You authenticate biometrically locally, then a key-pair exchange authenticates to the remote service.
A large part of the reason for this is that nobody wants the hassle of securing biometric data nor being responsible for it when it leaks.