[nmzaheer]

It a two factor authentication system.

One is your mobile number i.e. the UPI app first verifies whether the number belongs to you and it is being sent from the same device. To do that, it auto sends a encoded SMS to the NPCI server and awaits a response on the same device (no provision to manually enter the response. It has to be auto read by the app). This ensures that nobody else can claim ownership of that mobile number.

Having known that you own the number, it allows you to link your bank account to the UPI ID. This mechanism involves again sending a SMS to the bank server to verify whether an account exists that is linked to the mobile number you just proved that you possess. If that is true, then you need to prove that you own the bank account. This is done by asking you to enter your debit card details along with the ATM PIN. If that is successful, then that bank account is linked to the UPI ID you just created. Further, the app now forces you to set a UPI PIN that can/is different from your ATM PIN. Now you can perform UPI transactions with your UPI PIN.