Article:

Beyond OTPs: The Shift to Passwordless Authentication in Banking

 

The Bangko Sentral ng Pilipinas (BSP) is considering phasing out one-time passwords (OTPs) for digital banking transactions, citing the growing vulnerabilities of this method. BSP Deputy Governor Elmore Capule emphasized that the agency is exploring stronger security measures to make digital banking more resilient, with biometric authentication and other advanced technologies being evaluated as secure alternatives to OTPs.

This move aligns with global regulatory trends. Institutions such as the Monetary Authority of Singapore (MAS) are actively encouraging the shift away from OTPs due to their vulnerabilities, and the Bank for International Settlements (BIS) supports the adoption of more secure authentication methods as part of broader financial security initiatives.

While OTPs have been a standard security measure, cybercriminals have found ways to bypass them, leading to significant financial losses. In the Philippines, fraud tactics such as “smishing” (SMS phishing) and SIM swap scams have resulted to account takeovers and unauthorized transactions. In 2024, the Cybercrime Investigation and Coordinating Center (CICC) recorded 10,004 cybercrime complaints, with nearly PHP 198 million in reported losses—many of which were linked to OTP-related fraud.

 

Several incidents have highlighted the risks associated with SMS OTPs:

  • Unauthorized Bank Transfers (2021): Over 700 account holders suffered unauthorized transactions when fraudsters bypassed OTP authentication, transferring funds to other accounts. Attackers exploited OTP vulnerabilities through phishing and social engineering.
  • Spoofing Scams (2024): Scammers inserted fraudulent messages into legitimate SMS threads, tricking users into clicking malicious links that stole personal and financial information. This tactic made fake messages appear credible, leading to widespread fraud.
  • SIM Swap Fraud: Cybercriminals used stolen personal details to trick telecom providers to transfer victims’ phone numbers to new SIM cards, intercepting OTPs and gaining full control over their online banking accounts.

 

For financial institutions, relying on OTPs not only poses security risks but also creates friction in digital banking:

  • Customer Support Overload: A significant portion of helpdesk inquiries stem from password resets and OTP failures, increasing operational costs and frustrating users.
  • Drop-offs in Digital Transactions: Lengthy or cumbersome authentication processes lead to abandoned transactions. Users may get locked out of their accounts due to expired OTPs, device changes, or forgotten passwords, impacting engagement and revenue.
  • Limited Scalability: OTP-dependent systems can struggle during peak transaction periods, causing SMS delays and authentication bottlenecks.
  • Regulatory Compliance: With regulators pushing for stronger authentication, financial institutions relying on OTPs may need costly upgrades to meet evolving security standards.

 

Moving Towards Passwordless Authentication

As digital security threats grow more sophisticated, banks are shifting to modern authentication solutions that eliminates passwords and OTPs

One such solution is V-Key ID, which enables strong passwordless authentication without relying hardware tokens or SMS OTPs. By leveraging cryptographic techniques and mobile-based identity verification, V-Key ID reduces phishing and credential theft risks. Its identity portability, advanced cryptographic security, and biometric integration enhance both security and user experience. Businesses adopting V-Key ID can streamline digital onboarding and authentication while safeguarding customer data.

 

 

Another approach is V-OS Smart Token, which replaces SMS OTP with encrypted push notifications, reducing interception risks. One-tap authentication enhances user convenience, while flexible options like QR code scanning provide adaptability for digital banking services.

 

 

FIDO2, developed by the Fast Identity Online (FIDO) Alliance, is a widely adopted standard in passwordless authentication. FIDO2 enables secure authentication using a trusted device (with optional biometrics), preventing credentials from being easily stolen or intercepted.

 

For banks and financial institutions, transitioning to passwordless authentication offers several advantages:

  • Stronger Security – Solutions like V-Key ID and V-OS Smart Token, which leverage standards such as FIDO2, mitigate risks associated with OTP interception, phishing, and password reuse.
  • Enhanced User Experience – Passwordless authentication simplifies logins, reducing friction in digital banking.
  • Regulatory Compliance – Aligns with shifting security requirements from regulators such as BSP and MAS.
    Privacy-Protected Biometrics – V-Key ID converts biometric data into a private authentication key within the mobile app, ensuring better security and privacy.
  • Secure Architecture – Built on V-Key’s patented Virtual Secure Element, ensuring security logic remains protected from external threats.
  • Cost Savings – Eliminates the need for hardware tokens and SMS OTP subscriptions.
  • Secured OTP Generation – V-OS Smart Token generates OTPs securely within the Virtual Secure Element, preventing phishing, vishing, and smishing attacks.
  • Seamless In-App Authentication – OTPs are generated in the background for frictionless user intervention.
  • Massive Scalability – More than just providing password less authentication, V-Key ID is very flexible and can be easily integrated with other V-Key solutions.
  • Portability– with V-Key ID authentication is not limited to device. Authentication is in user level where user don’t need to do re-registration when changing device or another platform (Android, IOS, Harmony OS)
  • Versatile Use Cases – Supports login, challenge-response authentication, digital document signing, mobile transaction signing, VPN access, out-of-band 2FA, and offline authentication.

 

Seamless Security with Passwordless Authentication

These solutions enhance user experience by eliminating password-related friction while strengthening customer trust, reducing fraud-related costs, and ensuring regulatory compliance. Additionally, passwordless authentication accelerates digital onboarding, boosts conversion rates, and mitigates risks like account takeovers and unauthorized transactions. By delivering a seamless, secure experience across multiple platforms, financial institutions can improve operational efficiency and drive long-term growth in a competitive landscape.

 

Resources:
https://philstarlife.com/news-and-views/223208-bsp-considers-removing-otp-shift-more-secure-methods?page=2
https://www.philstar.com/headlines/2024/11/09/2398734/public-warned-vs-spoofing-scams
https://technology.inquirer.net/140281/cicc-gets-10000-complaints-vs-online-scams-in-2024-tripling-past-years-list
https://www.channelnewsasia.com/singapore/banks-phase-out-otps-login-phishing-scams-digital-tokens-4466786

Article
Building Digital Trust with V-Key at the State Bank of Vietnam Event 

2025 April, Vietnam –  V-Key had the privilege of participating in the State Bank of Vietnam (SBV) CIO Roundtable event on 1 April 2025. This event brought together key players in Vietnam’s financial industry to discuss the future of banking security and the impact of regulations on digital transformation. It was an important platform to explore how V-Key supports financial institutions in Vietnam to stay ahead of regulatory compliance and security innovation. 

Article
Journey to Passwordless Authentication

Is it the Beginning of the End of Passwords? 

In the wake of cyber-attacks at some of the biggest Superannuation Funds in Australia last week, one question should be asked, is this the beginning of the end of Passwords? The safety of using Passwords has been broken for a long time. Managing passwords can be dauntingly challenging. They can be difficult to remember, and often, people reuse them across multiple platforms and systems, which makes them a target for cybercriminals. In fact, according to the 2023 Verizon Data Breach Investigations Report (DBIR), over 50% of data breaches are linked to stolen or compromised credentials. This exposes sensitive data, whether it’s banking details, emails, or personal information, to potential risks.  

Article
Vietnam’s New Digital Security Regulations: Strengthening Mobile and Biometric Protections

Vietnam is rapidly enhancing its digital security landscape. In just the past six months, two major regulations—Decision 2345 (effective July 2024) and Circular 50 (effective January 2025)—have been introduced to address growing threats such as biometric fraud, mobile app tampering, and unauthorized data access. These changes are not just regulatory updates; they serve as a wake-up call for businesses to fortify their cybersecurity defenses before it’s too late. 

Article
Mobile Malware Landscape in 2024: Why App Security Is Critical for Businesses

Mobile malware attacks are rising as mobile banking, digital payments, and remote authentication become mainstream. In 2024, over 33.3 million mobile malware attacks were recorded globally, according to a report by a security firm, underscoring the urgent need for stronger mobile security. Another study found that Trojan banking malware attacks nearly tripled this year, surging by 196% worldwide. 

Article
Strengthening Australia’s Digital Identity Future 

Australia is making significant progress in digital identity adoption, with the federal government leading efforts through its national Digital ID system. 73% of Australians now have a Digital ID account for government services, up from 60% in 2023, reflecting increasing engagement. With smartphones as the most popular device for accessing these services, digital identity is becoming a key part of everyday interactions. However, 56% of Australians remain concerned about data security, highlighting the need for a secure and seamless identity ecosystem. 

Article
V-Key Continues to Expand in Australia to Strengthen Digital Identity and Authentication

V-Key strengthens its presence in Australia by participating in the FIDO Alliance events in Melbourne, reinforcing its commitment to digital identity and authentication. With discussions on passkeys, step-up authentication, and regulatory updates, V-Key highlighted how V-Key ID enhances security and trust. As digital transformation accelerates in Australia, V-Key continues to support enterprises in financial services, payment gateways, and government with innovative mobile security solutions. Expanding its local team, V-Key is dedicated to enabling seamless and secure digital interactions through advanced authentication technologies.

Article
Why Passwordless Authentication is the Future of Security

Managing passwords can be challenging. They can be difficult to remember, and often, people reuse them across multiple sites, which makes them a target for cybercriminals. In fact, according to the 2023 Verizon Data Breach Investigations Report (DBIR), over 50% of data breaches are linked to stolen or compromised credentials. This exposes sensitive data, whether it’s banking details, emails, or personal information, to potential risks. 

Article
Protect Your Business All Year with V-Key ID and FIDO2

Lunar New Year is a time for celebration for many people around the world, but it’s also a good opportunity for scammers who are always trying to entice victims to grab the next cheap online shopping deal. A common technique that scammers use is to lure a victim into installing a malware app that can then be used to phish user’s credentials, capture SMS OTPs, or even remotely control the phone to perform banking transactions. 

Article
V-Key’s 2024 Journey in Advancing Digital Security and Empowering Seamless Digital Experiences

As we reflect on 2024, V-Key is proud of the milestones we’ve achieved and the innovations we’ve introduced in the field of digital identity and mobile security. This year, we have remained steadfast in our mission to protect digital experiences and empower businesses with advanced solutions. From key industry events to groundbreaking technological advancements, we’ve continually strived to meet the evolving needs across various sectors.  

Article
5 Simple and Effective Ways to Secure Your Mobile App with V-OS App Shield

For businesses, especially those handling sensitive data or financial transactions, ensuring app security is no longer optional. The risk is real: attacks on mobile apps can lead to reputational damage, regulatory fines, and the loss of user trust.  

V-OS App Shield is a reliable solution designed to safeguard mobile applications. Beyond the basics of security, it offers a cost-effective approach that combines robust protection with ease of use. Here are 5 ways V-OS App Shield can enhance your mobile app security and deliver real-world benefits. 

Article
Securing Mobile Apps and Why It’s Critical for Businesses

Mobile devices continue to become indispensable, with the average smartphone user spending around 88% of their day interacting with apps. This surge in mobile usage highlights an escalating need for businesses to ensure their apps are secure, as the stakes of app security have never been higher. From retail businesses to e-commerce platforms, mobile apps handle sensitive user data and provide access to essential business systems. The consequences of a breach can be devastating, both for businesses and their users. 

Article
Introducing V-OS App Shield: Connect, Deploy and Protect your App in Minutes

Mobile applications are key to daily business operations, customer engagement, and overall functionality. According to Google, the average smartphone user interacting with nearly 10 apps daily and spending about 88% of their time on mobile, the need for strong mobile app protection has never been more pressing. Introducing V-OS App Shield, a revolutionary solution designed to secure your mobile apps fast and easy.

Article
V-Key partners with Bridge Alliance to build a Safer Digital Ecosystem

V-Key, renowned for its advanced security solutions has proudly joined Bridge Alliance as their technology Partner,  solidifying their commitment to innovation and excellence in mobile security. This partnership opens doors to explore new avenues for enhancing authentication experiences and mitigating cybersecurity risks.

Article
Making 2FA/MFA robust against smishing and related attacks

2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g., a biometric ID that is unique to you) [1].

However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any and all challenges presented by attackers.

Article
How do we determine the effectiveness of mobile apps’ security systems?

With the spate of remote working regime due to Coronavirus pandemic, the reliance and growth for video conferencing platform has been exponentially escalated. However, most mobile apps today are nowhere near as secure as we would like them to be.

Article
Is the detection of jailbroken/rooted phone sufficient against threats?

Functions that detect jailbroken/rooted devices are most commonly added to transactional mobile applications, serving as the most basic defense against threats. However, this is nothing but a drop in a bucket.

Article
Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

Article
V-OS Protection against CPU vulnerabilities

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities. Find out how the virtual secure element technology is protecting millions of mobile application users against such vulnerabilities.

Article
V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Article
Three steps to fight the Mobile Security status quo

Have financial institutions accepted a status quo that sacrifices user experience for increased security? With mobile digital identity quickly becoming central to an entire suite of online services, those who challenge the status quo will set themselves up to prosper and grow. Read more to find out three oft-ignored areas of research.

Article
Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Article
Building V-OS with HSM

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code. These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

Article
How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Article
Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Article
Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Article
Mobile Security that works for everyone

Safe, convenient and simple.

Article
The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.