The Monetary Authority of Singapore (MAS) has announced that all major retail banks in the country have to phase out OTPs and replace them with “digital tokens” within the next three months. This move, in collaboration with the Association of Banks in Singapore (ABS), aims to protect consumers from phishing and other scams which have cost over $14 million in 2023. In this blog post, we want to discuss:

• Discontinue OTP: Why does the MAS prioritize discontinuation of OTPs?
• Digital Tokens: What are digital tokens and why are they more secure?
• Passkeys: Could passkeys help to fulfil the new requirements?

Let’s start by taking a closer look at the Monetary Authority of Singapore (MAS) announcement “Banks in Singapore to Strengthen Resilience Against Phishing Scams”.

On July 9, 2024, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced a significant step to enhance the security of digital banking by phasing out the use of One-Time Passcodes (OTPs). This transition is set to take place progressively over the next three months and aims to better protect consumers from phishing scams, which have become the main threat in digital banking. While the announcement only refers to “One-Time Passwords” and OTPs, it targets specifically SMS OTPs.

Customers who have activated their digital tokens on their mobile devices will now be required to use these tokens for logging into their bank accounts via browsers or mobile banking apps. The digital token will authenticate customers’ logins without the need for OTPs, which scammers can steal or trick customers into disclosing. We will provide more details on what digital tokens are in the next chapter.

Technological advancements and sophisticated phishing techniques have outpaced the security that SMS OTPs once provided. Scammers now create fake bank websites that closely resemble genuine sites, luring customers into entering their OTPs and other credentials. The shift to phishing-resistant authentication factors strengthens the security, making it significantly more challenging for scammers to gain unauthorized access to a customer’s account.

Phishing scams remain a persistent concern in Singapore. Banks continue to collaborate closely with MAS and the Singapore Police Force to develop and introduce measures that bolster collective resistance against the evolving scam landscape. Mrs. Ong-Ang Ai Boon, Director of ABS, emphasized that while the new measure may introduce some inconvenience, it is a necessary step to prevent scams and protect customers.

Ms. Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime) at MAS, highlighted that MAS is committed to working closely with banks to safeguard consumers against digital banking scams. She noted that this latest measure will complement good cyber hygiene practices that customers should continue to follow, such as safeguarding their banking credentials.

This measure by MAS and ABS shows their commitment to enhancing digital banking security mandating the use of digital tokens. What the announcement lacks is clear outline about what are the requirements for digital tokens in the sense of authentication. Let’s take a closer look into that in the next section.

Digital tokens represent an advancement in online security, providing a stronger alternative to traditional SMS One-Time Passcodes (OTPs). Unlike SMS OTPs, which are transmitted via SMS (or email) and can be intercepted or phished, digital tokens are bound to a specific device, typically a mobile phone, ensuring that only the device owner can generate the necessary authentication codes.

Digital tokens can operate differently:

• Time-based digital token (less secure): These tokens are time-based, dynamic codes that are used to authenticate a user's identity. They are produced by a native app on the user's mobile device, such as a bank’s proprietary app – in most implementations, the actual code is not shown anymore but only a push notification that asks the user for consent with the transaction details and is then transmitted back to the banking server.
• Cryptographic digital token (more secure): A cryptographic digital token represents an even more secure method of authentication compared to time-based tokens. It utilizes a public-private key pair stored within the app or within the secure enclave of the mobile phone. During the authentication process, the banking server sends a challenge to the user's device. The device then uses its private key to sign this challenge, and the signed response is sent back to the server. The server verifies the signature using the corresponding public key. This method ensures that even if an attacker intercepts the communication, they cannot replicate the authentication process without access to the user's private key, which remains securely stored on the device.

The security of digital tokens is stronger due to several key features:

1. Device Binding: The token is tied to a specific device, meaning the authentication codes can only be generated by that device. This device binding makes it extremely difficult for attackers to replicate or transfer the token to another device.
2. Multi-factor Setup: Initial setup of the digital token often involves using OTPs sent via SMS and email to verify the user’s identity in addition to the banking PIN (some banks retire also physical tokens with this approach. Then, the physical OTP token can be used). Once the token is activated, it becomes the primary method for authentication, eliminating the need for future OTPs and their associated vulnerabilities. For example, DBS Bank uses a combination of SMS and email OTPs during the initial setup of the digital token, after which ongoing authentication relies solely on the token
3. Time-based or cryptographic protection: Digital tokens employ strong cryptographic algorithms or time-based algorithms (TOTP) to generate the authentication codes, ensuring that even if the communication between the device and the authentication server is intercepted, the codes cannot be easily decrypted or forged.

DBS Bank, a major financial institution in Singapore, has successfully implemented digital tokens to enhance security for its customers. The bank asks for

• Something the user knows: PIN
• Something the user has: SMS OTP (access to the phone assigned to phone number)
• Something the user has: email OTP (access to the email assigned to the account)

to set up the digital token on a customer's mobile device. Once set up, the digital token becomes the sole method for authenticating logins and transactions, effectively mitigating the risk of phishing attacks that target OTPs.

In case the connected email address is not up-to-date and a physical token is not available, the user can set up the digital token with fallback options:

The fallback options include digital identity with singpass, using a Video Teller machine (VTM) at a branch near the customer or requesting a registration code to be mailed physically within 3-5 days.

The move from OTPs to digital tokens addresses several vulnerabilities associated with traditional authentication methods:

• Partial Phishing Resistance: Since digital tokens are generated and used directly on the user's device, there is no risk of interception via phishing. Even if a scammer tricks a user into providing login details, they cannot generate the necessary authentication code without physical access to the device.
• Reduced Attack Surface: By eliminating the need for SMS and email as transmission channels for authentication codes, digital tokens reduce the attack surface that scammers can exploit.
• User Convenience: Although the initial setup may require extra steps, the ongoing use of digital tokens is seamless and convenient for users. They no longer need to wait for an OTP to arrive via SMS or email, which can sometimes be delayed or blocked.

While phishing is partially improved, the new risk now is that customers will fall victim to MFA fatigue attacks by continuously being used to digital token authentication requests an attacker might take advantage of this and send such an request from a phishing page.

That is the reason why bigger tech companies (e.g. Google and Microsoft) that have experienced a lot of breaches have started introducing challenges into those push notifications, for example picking the right number to protect customers.

Digital tokens offer a more secure method for authentication in the digital banking landscape but do not eliminate the phishing risk completely. An attacker could still trick the victim into authenticating his access by convincing the victim to confirm digital token requests. What the DBS Bank’s implementation has shown is that it is possible to easily enroll customers into another form of authentication by using existing factors combined. The question is at that point, why does the MAS and DBS bank not introduce passkeys? Let’s look at that.

As we have seen, digital tokens represent a step forward in securing digital banking transactions compared to traditional SMS OTPs. However, while digital tokens provide enhanced security features, they are not completely phishing-resistant. An attacker could still trick a victim into authenticating a fraudulent request by convincing them to confirm digital token prompts. This ongoing vulnerability suggests that digital tokens, while an improvement, do not constitute a bold enough move toward securing online banking.

Passkeys offer a truly phishing-resistant authentication method. Unlike digital tokens, passkeys are inherently resistant to phishing attacks because they can only be used on the correct website or application. This ensures that users cannot be tricked into entering their credentials on a fraudulent site. Passkeys rely on public-private key cryptography, where the private key is securely stored on the user's device and encrypted securely in the attached operating system cloud. The public key is shared with the authenticating service.

Here’s how passkeys enhance security:

1. Phishing Resistance: Passkeys eliminate the risk of entering authentication details on fake websites. Since the authentication process can only proceed on the legitimate site that issued the challenge, phishing attempts are rendered ineffective. It is technically impossible to use a passkey on the wrong page and it is also impossible for an average consumer to export a passkey to a foreign party.
2. Multi-Device Support: Unlike digital tokens, which are often tied to a single device, passkeys can be synchronized across authenticated devices within the same cloud or password manager in a secure manner. This provides flexibility and convenience for users who access their banking services from various devices.
3. Strong Device Security: Passkeys require that 2FA is activated within the mobile phone ecosystems (such as iOS or Android). This additional layer of security ensures that even if a device is compromised, the attacker would need to bypass the device's 2FA to gain access to the passkeys. We have elaborated on the details already when explaining the SCA/PSD2 details on passkeys and explained why synched passkeys can be used for banking.

Australia has recognized the importance of phishing-resistant authentication in its Essential Eight standard, which outlines best practices for cybersecurity. The standard specifically mentions the need for technical requirements that mitigate phishing risks, positioning Australia as a leader in cybersecurity within the Asia-Pacific region. Singapore, with its advanced digital infrastructure, should follow Australia's lead by integrating passkeys into its standard and recommendations for enterprises. This would not only strengthen security but also align Singapore with global best practices in digital security.

The banking industry is awaiting clear regulatory guidance that would explicitly allow the use of synchronized passkeys in banking. Such a move would provide banks with the confidence to adopt this advanced technology and offer their customers a truly secure and convenient authentication method. The Monetary Authority of Singapore (MAS) has the opportunity to set a new standard in digital banking security by endorsing the use of passkeys. By doing so, MAS would signal its commitment to pioneering cutting-edge security measures, ensuring that Singapore remains at the forefront of digital banking innovation.

Converting users to more secure digital tokens is a significant step towards enhancing online banking security in Singapore. However, looking ahead, it is essential for banks to begin adopting passkeys, which will become the de-facto standard for web authentication. Here are some key recommendations for Singapore banks to future-proof their security infrastructure:

1. Start Collecting Passkeys Early: While transitioning to digital tokens, banks should also start the process of collecting passkeys from users. This proactive approach will prepare banks for a seamless transition once passkeys become widely accepted and adopted. By integrating passkey collection into the current onboarding and authentication processes, banks can gradually build a secure database of passkeys.
2. Replace PINs with Passkeys: A practical and immediate step towards adopting passkeys is to replace traditional PINs with passkeys. Passkeys offer a more secure and convenient alternative to PINs, leveraging public-private key cryptography. By implementing passkeys as the primary method of authentication, banks can enhance security while providing a smoother user experience.
3. Employ Passkeys as a First Factor or Additional Risk Measure: Passkeys can be utilized as a first factor of authentication or as an additional risk measure in multi-factor authentication (MFA) setups. Incorporating passkeys into the authentication process will provide an extra layer of security, making it significantly harder for attackers to compromise user accounts. Banks can start by offering passkeys as an optional security feature and gradually make them a standard part of the authentication process.
4. Educate Customers about Passkeys: Successful implementation of passkeys requires customer awareness and acceptance. Banks should invest in educational campaigns to inform customers about the benefits and security features of passkeys. Clear communication about how passkeys work and their role in protecting against phishing attacks will encourage more customers to adopt this technology.
5. Collaborate with Regulators and Industry Peers: Banks should actively collaborate with regulatory bodies like the Monetary Authority of Singapore (MAS) and industry peers to establish standardized guidelines for passkey implementation. Joint efforts will ensure a consistent and secure approach across the banking sector, enhancing overall digital banking security in Singapore.
6. Invest in Infrastructure and Support Systems: Implementing passkeys requires robust infrastructure and support systems. Banks should invest in the necessary technology and resources to support passkey authentication, including secure key management systems and integration with existing authentication frameworks. Ensuring a smooth and secure user experience will be crucial for widespread adoption.
7. Monitor and Adapt to Emerging Threats: Regularly monitoring the threat landscape and updating security measures accordingly will help banks stay ahead of potential risks. Passkeys, combined with ongoing security enhancements, will provide a resilient defense against emerging phishing and fraud tactics.

Following these recommendations, the security of authentication in the Singapore Banking industry can increase even further and also find their integration into compliance frameworks and standards like the Safe App Standard which currently lacks to mention passkeys as authentication technology.

In summary, the Monetary Authority of Singapore's (MAS) announcement to phase out SMS OTPs and transition to digital tokens marks a crucial step in strengthening digital banking security. This move addresses the escalating threat of phishing scams, which have significantly impacted consumers and the banking sector.

• Why discontinue OTP: MAS prioritizes discontinuing OTPs due to their susceptibility to phishing and interception. Scammers have exploited the vulnerabilities of SMS OTPs, prompting the need for more secure authentication methods.
• What are Digital Tokens: Digital tokens provide enhanced security by being device-bound and employing strong cryptographic algorithms. This makes them more resilient to phishing attacks compared to traditional OTPs. They also offer convenience and reduce the attack surface by eliminating the need for SMS or email-based authentication codes.
• Can Passkeys help Singapore banking: Passkeys emerge as a superior alternative, offering robust, phishing-resistant authentication. By utilizing public-private key cryptography, passkeys ensure that authentication can only occur on legitimate sites, significantly mitigating phishing risks. Their multi-device support and strong device security further enhance their appeal.

As we explored the advantages of digital tokens, we noted their limitations in completely eliminating phishing risks. Passkeys, on the other hand, provide a comprehensive solution, aligning with international best practices in digital security. While the transition to digital tokens is a step forward, the ultimate goal should be to adopt passkeys as the future standard for digital banking authentication.