For stronger safeguard vs fraud
MANILA, Philippines — Philippine banks and e-wallet providers are expected to increasingly replace text-based one-time passwords (OTPs) with silent and risk-based authentication as financial institutions strengthen safeguards against fraud.
“We expect a shift away from codes the customer has to type and toward signals that are far harder for an attacker to fake or steal,” Sylvain Chaperon, general manager of 8x8 CPaaS, told The STAR.
The transition follows the June 25 compliance deadline under Bangko Sentral ng Pilipinas Circular 1213, which limits the use of interceptable authentication mechanisms such as OTPs sent through text and email.
The rules require institutions offering complex electronic financial services and handling an average monthly network transaction value of at least P75 million over six months to use stronger authentication for high-risk transactions. These may include biometrics, passwordless methods and adaptive authentication based on a customer’s location, device and behavior.
Chaperon said OTPs were developed for a less complex threat environment, with the system relying on the assumption that the mobile number receiving the code remains under the account holder’s control.
However, fraudsters have increasingly exploited the system through SIM swapping, the interception of messages and social engineering schemes that persuade customers to disclose their OTPs.
“In a mobile-first economy like the Philippines, where the smartphone is most people’s primary gateway to banking and payments, that makes the authentication step a high-value target,” he said.
Among the possible alternatives is silent mobile authentication, which verifies a customer’s SIM card, device and transaction session directly with a mobile network operator. Since no code is sent, there is nothing for fraudsters to intercept, steal or convince a customer to disclose.
Earlier this year, 8x8, a cloud communication solutions provider, partnered with PLDT Enterprise to launch Silent Mobile Authentication in the Philippines, enabling businesses to verify users through trusted mobile network signals without requiring OTPs.
Banks may also use passkeys, biometric scans and magic links that connect a customer’s identity to a specific device rather than merely to a mobile number.
Chaperon said institutions are unlikely to rely on a single replacement for OTPs. Instead, they are expected to adopt layered systems that assess device information, network data and user behavior, requiring additional verification only when a transaction appears risky.
He added that stronger security does not necessarily have to create more inconvenience, particularly for users who are less familiar with digital technology.
“The principle is to move the effort away from the customer and into the technology,” Chaperon said. “Silent authentication is the clearest example: it verifies identity in the background, so the customer does nothing at all - no code to read, type or understand.”
While adopting new systems requires investment, he said institutions should weigh the expense against potential fraud losses, customer remediation, reputational damage and higher support costs.