[ignoramous]

One way to do that would be to monitor SMSes for 2FA codes. This can be easily done on Android and iOS. The app can run the payments flow in a phanthomjs esque environment and read off 2FA values from the SMS inbox, and bam! Payment done. Also, there are other options for authorizing recurring payments but at fixed amt, and paper work can't be avoided.

[harshilmathur]

Not every bank sends 2FA codes via SMS. For example my debit card with SBI has a static password that I need to put in for every payment

[ignoramous]

In that case, you could provide the user with a on-device one-click authenticate button (via notification/email, reminding her/him to approve the payment) that'd push the credentials out to your phantom-js instance. I am not sure what RBI complaince mandates, but one might be a strongbox.io away from implementing such a scheme server-side as well, if legal. A lot of care must go into securing such systems, no doubt. And there might be simpler alternatives that I simply cannot think of.

[shk]

Just like cvv, we are not allowed to store the static passwords.

[ignoramous]

Well, you don't really store the passwords on your servers, but rather store it on user's own devices (in a keystore, for instance). The user then agrees to push the credentials to your servers periodically instead of typing the password to authorize the payment.