All posts
Business Value
4 min

Passkeys for Philippine Financial Services: A Strategy Playbook

Written by
Greg Storm
Published on
November 26, 2025
Copy link

The Philippines is accelerating its move away from outdated one-time passwords (OTPs) in banking, aiming for a full phase-out by mid 2026. This follows a growing trend across Asia-Pacific to strengthen authentication in regulated industries. Several firms have already begun piloting next‑generation authentication solutions with local financial institutions—an indication that the Philippines is poised for a significant shift toward more secure and user‑friendly digital identity approaches.

For financial institutions, this is not just a compliance milestone. It’s a rare opportunity to overhaul digital identity security, reduce fraud risk, and improve customer experience all at once.

What Passkeys Are and Why They Matter in Regulated Environments

Passkeys are a modern authentication method built on FIDO2 and WebAuthn standards. Instead of relying on knowledge-based factors (like passwords) or easily intercepted OTPs, passkeys use public–private key cryptography stored securely on a user’s device.

In regulated environments like banking, the difference is profound:

  • No shared secrets to steal or phish.
  • Instant authentication without the latency of SMS or email codes.
  • Built-in resistance to common attack vectors like man-in-the-middle (MITM) and credential stuffing.

Passkeys can be implemented as user-bound (tied to an account identity across devices) or device-bound (tied to a specific, registered device). While both approaches raise the security baseline, device-bound passkeys have critical advantages for risk and compliance.

Why Device-Bound Passkeys Win in Banking

In financial services, device-bound passkeys deliver three key benefits:

  1. Higher Assurance – Authentication is only possible from a known, verified device, reducing account takeover risk from remote attackers.
  2. Regulatory Alignment – Many APAC regulators, including the Bangko Sentral ng Pilipinas (BSP), value strong possession-based factors that can be independently verified.
  3. Fraud Containment – Even if account credentials are compromised elsewhere, fraud attempts fail without the bound device.

By contrast, user-bound passkeys—while convenient—can be synced across devices and cloud accounts, potentially introducing risk in high-value transactions.

A Strategic Framework for Adoption

Rolling out passkeys in the Philippine financial sector isn’t a one-step process. Institutions should treat this as a phased transformation:

1. Phased Rollout
  • Start with low-risk use cases (e.g., mobile app login) before extending to high-value transactions.
  • Pilot with internal teams or select customer segments to gather feedback.
2. Deep Mobile App Integration
  • Implement passkeys directly in existing mobile banking apps rather than web-only flows.
  • Combine with device attestation for stronger possession verification.
3. Fallback Planning
  • Maintain secure recovery channels (e.g., in-person verification, biometric re-enrollment).
  • Avoid falling back to OTPs for routine recovery, this undermines the security gains.
4. User Education
  • Use in-app guides and branch staff to explain what passkeys are and how they work.
  • Address customer concerns about “what happens if I lose my phone” upfront.

Challenges to Anticipate and How to Overcome Them

  • Device Compatibility – Older devices may not support modern passkey standards. Plan for hybrid support during the transition, but encourage customer upgrades through incentives. Vendors like, Ideem, support a wide variety of OS and their many versions.
  • Regulatory Acceptance – While BSP is already pushing for stronger authentication, engage with regulators early to align technical implementations with compliance requirements.
  • Customer Trust – Any shift in authentication can cause hesitation. Emphasize the benefits: faster login, fewer codes, and stronger security against scams.

Where Ideem Fits In

Ideem’s Zero-Trust Secure Module (ZSM) is built for regulated environments like Philippine banking. By enabling bank-grade device binding with passkeys, Ideem helps institutions:

  • Replace OTPs without adding complexity.
  • Ensure possession factors are truly tied to the customer’s verified device.
  • Maintain compliance while delivering a seamless user experience.

With BSP’s mid 2026 OTP sunset on the horizon, the time to start is now.

Key Takeaways

  • The Philippines is phasing out OTPs mid 2026, creating urgency for banks to adopt stronger authentication.
  • Passkeys—especially device-bound implementations—offer both security and compliance advantages for regulated environments.
  • A successful rollout involves phased deployment, strong user education, mobile app integration, and secure fallback options.
  • Address challenges early: plan for device diversity, regulatory alignment, and customer trust.
  • Partnering with solutions like Ideem’s ZSM ensures banks can meet compliance goals while enhancing the customer experience.

Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.