The Bangko Sentral ng Pilipinas (BSP) is considering phasing out one-time passwords (OTPs) for digital banking transactions, citing the growing vulnerabilities of this method. BSP Deputy Governor Elmore Capule emphasized that the agency is exploring stronger security measures to make digital banking more resilient, with biometric authentication and other advanced technologies being evaluated as secure alternatives to OTPs.
This move aligns with global regulatory trends. Institutions such as the Monetary Authority of Singapore (MAS) are actively encouraging the shift away from OTPs due to their vulnerabilities, and the Bank for International Settlements (BIS) supports the adoption of more secure authentication methods as part of broader financial security initiatives.
While OTPs have been a standard security measure, cybercriminals have found ways to bypass them, leading to significant financial losses. In the Philippines, fraud tactics such as “smishing” (SMS phishing) and SIM swap scams have resulted to account takeovers and unauthorized transactions. In 2024, the Cybercrime Investigation and Coordinating Center (CICC) recorded 10,004 cybercrime complaints, with nearly PHP 198 million in reported losses—many of which were linked to OTP-related fraud.
Several incidents have highlighted the risks associated with SMS OTPs:
- Unauthorized Bank Transfers (2021): Over 700 account holders suffered unauthorized transactions when fraudsters bypassed OTP authentication, transferring funds to other accounts. Attackers exploited OTP vulnerabilities through phishing and social engineering.
- Spoofing Scams (2024): Scammers inserted fraudulent messages into legitimate SMS threads, tricking users into clicking malicious links that stole personal and financial information. This tactic made fake messages appear credible, leading to widespread fraud.
- SIM Swap Fraud: Cybercriminals used stolen personal details to trick telecom providers to transfer victims’ phone numbers to new SIM cards, intercepting OTPs and gaining full control over their online banking accounts.
For financial institutions, relying on OTPs not only poses security risks but also creates friction in digital banking:
- Customer Support Overload: A significant portion of helpdesk inquiries stem from password resets and OTP failures, increasing operational costs and frustrating users.
- Drop-offs in Digital Transactions: Lengthy or cumbersome authentication processes lead to abandoned transactions. Users may get locked out of their accounts due to expired OTPs, device changes, or forgotten passwords, impacting engagement and revenue.
- Limited Scalability: OTP-dependent systems can struggle during peak transaction periods, causing SMS delays and authentication bottlenecks.
- Regulatory Compliance: With regulators pushing for stronger authentication, financial institutions relying on OTPs may need costly upgrades to meet evolving security standards.
Moving Towards Passwordless Authentication
As digital security threats grow more sophisticated, banks are shifting to modern authentication solutions that eliminates passwords and OTPs
One such solution is V-Key ID, which enables strong passwordless authentication without relying hardware tokens or SMS OTPs. By leveraging cryptographic techniques and mobile-based identity verification, V-Key ID reduces phishing and credential theft risks. Its identity portability, advanced cryptographic security, and biometric integration enhance both security and user experience. Businesses adopting V-Key ID can streamline digital onboarding and authentication while safeguarding customer data.
Another approach is V-OS Smart Token, which replaces SMS OTP with encrypted push notifications, reducing interception risks. One-tap authentication enhances user convenience, while flexible options like QR code scanning provide adaptability for digital banking services.
FIDO2, developed by the Fast Identity Online (FIDO) Alliance, is a widely adopted standard in passwordless authentication. FIDO2 enables secure authentication using a trusted device (with optional biometrics), preventing credentials from being easily stolen or intercepted.
For banks and financial institutions, transitioning to passwordless authentication offers several advantages:
- Stronger Security – Solutions like V-Key ID and V-OS Smart Token, which leverage standards such as FIDO2, mitigate risks associated with OTP interception, phishing, and password reuse.
- Enhanced User Experience – Passwordless authentication simplifies logins, reducing friction in digital banking.
- Regulatory Compliance – Aligns with shifting security requirements from regulators such as BSP and MAS.
Privacy-Protected Biometrics – V-Key ID converts biometric data into a private authentication key within the mobile app, ensuring better security and privacy. - Secure Architecture – Built on V-Key’s patented Virtual Secure Element, ensuring security logic remains protected from external threats.
- Cost Savings – Eliminates the need for hardware tokens and SMS OTP subscriptions.
- Secured OTP Generation – V-OS Smart Token generates OTPs securely within the Virtual Secure Element, preventing phishing, vishing, and smishing attacks.
- Seamless In-App Authentication – OTPs are generated in the background for frictionless user intervention.
- Massive Scalability – More than just providing password less authentication, V-Key ID is very flexible and can be easily integrated with other V-Key solutions.
- Portability– with V-Key ID authentication is not limited to device. Authentication is in user level where user don’t need to do re-registration when changing device or another platform (Android, IOS, Harmony OS)
- Versatile Use Cases – Supports login, challenge-response authentication, digital document signing, mobile transaction signing, VPN access, out-of-band 2FA, and offline authentication.
Seamless Security with Passwordless Authentication
These solutions enhance user experience by eliminating password-related friction while strengthening customer trust, reducing fraud-related costs, and ensuring regulatory compliance. Additionally, passwordless authentication accelerates digital onboarding, boosts conversion rates, and mitigates risks like account takeovers and unauthorized transactions. By delivering a seamless, secure experience across multiple platforms, financial institutions can improve operational efficiency and drive long-term growth in a competitive landscape.
Resources:
https://philstarlife.com/news-and-views/223208-bsp-considers-removing-otp-shift-more-secure-methods?page=2
https://www.philstar.com/headlines/2024/11/09/2398734/public-warned-vs-spoofing-scams
https://technology.inquirer.net/140281/cicc-gets-10000-complaints-vs-online-scams-in-2024-tripling-past-years-list
https://www.channelnewsasia.com/singapore/banks-phase-out-otps-login-phishing-scams-digital-tokens-4466786
