BSP Circular 1213: What It Means for Authentication — and What Comes Next

The Bangko Sentral ng Pilipinas (BSP) has issued Circular No. 1213, a formal update to its IT Risk Management Framework that places new emphasis on the authentication mechanisms used by regulated entities. For Philippine banks, e-money issuers, and other BSP-supervised institutions, the circular is more than an update, it’s a realignment with global expectations for customer identity assurance in digital environments.

Among its most consequential requirements is the shift toward multi-factor authentication (MFA) that is both phishing-resistant and cryptographically verifiable. This marks a clear step away from legacy methods like OTPs and passwords, and toward standards-aligned protocols such as FIDO2, WebAuthn, and device-based authentication.

TLDR

• BSP Circular 1213 introduces stricter authentication requirements for regulated financial institutions in the Philippines
  
• Multi-factor authentication must be phishing-resistant, cryptographically verifiable, and avoid reliance on OTPs or passwords
  
• Authentication must ensure transaction integrity, dynamic linking, and strong auditability
  
• Passkeys provide a modern alternative to legacy 2FA, using biometric verification and public key cryptography
  
• Passkeys+ extends this model with cryptographic device binding, enabling both user and device verification
  
• This approach aligns with global standards like FIDO2, NIST 800-63B, and PSD2/SCA
  
• Regulated entities adopting passkeys or Passkeys+ can meet compliance while improving user experience and reducing fraud

Why authentication is central to Circular 1213

The BSP’s intention is clear: the rising frequency and sophistication of account takeover (ATO), credential phishing, and SIM-swapping attacks demands a more resilient approach to user identity. Circular 1213 reflects this urgency by setting new expectations for:

• Digital onboarding and customer login
  
• Transaction authorization, especially for high-risk activities
  
• Device and session management across platforms
  
• Ongoing identity proofing and non-repudiation
  
  

Section 5.3.3 of the circular lays out the minimum standards for authentication. It explicitly states that regulated entities must implement MFA that is resistant to phishing and replay attacks. The use of “single-factor authentication,” such as passwords or OTPs sent via SMS, is no longer sufficient, even when paired with other weak mechanisms.

Additionally, the circular requires financial institutions to establish controls that ensure transaction integrity, link the authentication directly to the action being authorized, and retain verifiable, audit-friendly records. These are also core tenets of modern frameworks like PSD2’s Strong Customer Authentication (SCA) rules and the U.S. NIST SP 800-63B identity guidelines.

Source:
BSP Circular 1213 – https://www.bsp.gov.ph/Regulations/Published%20Issuances/Images/Circular_1213.pdf

Legacy methods don’t meet the new bar

While many institutions have long relied on OTPs, authenticator apps, or push notifications, these tools no longer satisfy regulatory or technical expectations.

OTPs, especially via SMS, are vulnerable to phishing, SIM-swap attacks, and malware interception. Push-based systems offer better UX but often lack transaction linkage, attestation, or secure audit trails. Even app-based authenticators can fall short if they rely solely on knowledge factors and don’t cryptographically bind the device.

This mismatch between the tools in use and the controls now required isn’t just a compliance issue—it’s an operational and reputational risk. As seen in other markets, regulators are increasingly willing to act when financial institutions rely on outdated authentication that fails to protect end users.

Related global frameworks:

• EBA Guidelines on ICT and Security Risk Management: eba.europa.eu
  
• NIST SP 800-63B: pages.nist.gov
  
• FIDO Alliance Standards Overview: fidoalliance.org

Where passkeys, and Passkeys+ fit in

Passkeys, based on the FIDO2 and WebAuthn standards, offer a modern solution. They eliminate passwords entirely, using a public-private key pair stored securely on the user’s device, combined with biometric verification. Because the private key never leaves the device and is never shared, passkeys are inherently resistant to phishing and credential theft.

Passkeys satisfy many, but not all, of the controls outlined in BSP 1213. For example, they verify the user securely and locally, but they may not offer full visibility into device trust, especially when passkeys are synced across multiple devices via a platform authenticator (e.g., iCloud Keychain, Google Password Manager).

This is where Passkeys+, an emerging architecture built around passkeys with additional device attestation, becomes relevant.

Passkeys+ introduces a second layer: cryptographic device binding. This ensures that not only is the user verified, but the device they’re using is recognized, registered, and provably secure. This enables financial institutions to satisfy two critical requirements simultaneously:

1. Verifying the user via biometric passkey
   
2. Verifying the device via a trusted attestation key (e.g., generated and bound during enrollment)

Solutions that follow this model are capable of:

• Performing true multi-factor authentication, even without passwords or OTPs
  
• Enabling transaction binding through cryptographic signatures
  
• Supporting auditable logs of login and authorization events
  
• Enabling secure onboarding of new or recovered devices, without resetting credentials
  

Implications for implementation

BSP’s updated framework encourages institutions to treat authentication not as a single event, but as a continuous posture of assurance. That includes how users log in, authorize payments, respond to 3DS challenges, and switch between app and browser contexts.

The model enabled by Passkeys+ allows a single credential to span these environments securely, using cryptographic assertions that can be verified in real time by the relying party. Importantly, this approach works across platforms—not just in apps, but in browser-based flows where phishing and redirection risks are highest.

Many of the performance tradeoffs institutions once faced—higher friction, lower success rates, costly OTP infrastructure—are no longer necessary. The technical frameworks now exist to meet high security standards and deliver a smoother user experience at the same time.

Final thoughts

BSP Circular 1213 represents a meaningful step forward for digital trust in the Philippines. It brings national expectations in line with global authentication standards and signals that convenience alone is no longer an acceptable reason to compromise security.

While no single technology solves every problem, modern authentication tools—particularly passkeys and enhanced models like Passkeys+—give regulated entities a credible, standards-aligned path to compliance. More importantly, they offer a foundation that is resilient, user-friendly, and future-proof.

As implementation deadlines loom and audits begin, the institutions that act early will be the ones best positioned to avoid risk and deliver meaningful improvements to both security and user experience.

Resources and References

• BSP Circular 1213 (June 2025): https://www.bsp.gov.ph/Regulations/Published%20Issuances/Images/Circular_1213.pdf
  
• FIDO Alliance: https://fidoalliance.org
  
• NIST SP 800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html
  
• EBA ICT Guidelines: https://www.eba.europa.eu
  
• Gartner IAM Trends: (Available to subscribers)‍
• FBI IC3 Annual Report (2023): https://www.ic3.gov/