The Bangko Sentral ng Pilipinas (BSP) has mandated that digital banking applications discontinue the use of one-time passwords (OTPs) sent via SMS by June 30, 2026, as part of a broader initiative to enhance financial account security. This directive aligns with Section 6 of the Anti-Financial Account Scamming Act, which aims to protect consumers from fraud and unauthorized access to financial accounts.
Security Risks of SMS-Based OTPs
The BSP emphasized that SMS-based OTPs present significant security vulnerabilities because text messages can be intercepted or accessed by third parties. A key weakness lies in the Signaling System No. 7 (SS7), a telecommunications protocol developed in the 1970s to route calls and messages across networks. Originally designed for a limited number of trusted telecom operators, SS7 has become increasingly susceptible to exploitation as networks expanded. Cybersecurity experts have warned that attackers can exploit these flaws to reroute text messages, including OTPs, and gain unauthorized access to accounts.
Transition to Stronger Authentication Methods
To address these risks, BSP Circular No. 1213 directs financial institutions to adopt more robust multi-factor authentication methods. These include biometric verification such as fingerprint and facial recognition, behavioral biometrics, passwordless authentication using security keys, and adaptive systems capable of detecting unusual or suspicious account activity. The shift is intended to reduce fraud risks and enhance protection for users of digital financial services.
