Vincent
Created: January 31, 2025
Updated: April 24, 2025
Discover why banks in Singapore have to phase out OTPs for more secure digital tokens and learn why passkeys are a superior replace in banking security.
Read the full articleAlready read by 5,000+ enterprise security leaders.
One-time passwords (OTPs) sent via SMS have long been used for online banking authentication, but they come with significant security risks. Digital tokens are now replacing SMS OTPs in financial institutions, offering stronger authentication and better phishing resistance.
Device Binding
Digital tokens are tied to a specific mobile device, ensuring that only the authorized
user can generate authentication codes. This makes it impossible for attackers to steal
or intercept an OTP and use it on another device.
Phishing Resistance
SMS OTPs can be intercepted via SIM-swapping attacks or tricked out of users
through fake banking websites. Digital tokens, however,
operate within trusted banking apps and do not rely on manually entered codes,
making them significantly harder to phish.
End-to-End Encryption & Cryptographic Authentication
Digital tokens use public-private key cryptography. When a user attempts to
authenticate, the banking server sends a challenge, which is
signed using a securely stored private key on the device. The signed response is
verified using a public key, ensuring only the legitimate device can authenticate.
Elimination of SMS-based Attack Vectors
SMS OTPs rely on mobile networks, which can be hijacked, delayed, or intercepted.
Digital tokens work independently of network providers, eliminating risks from
carrier-based attacks.
Push-Based Authentication Instead of Manual Code Entry
Many digital tokens use push notifications instead of displaying a code. The user
simply approves a login request in their bank’s app, further reducing the risk of
phishing attacks.
While digital tokens significantly improve security, they are not completely immune to phishing. Attackers may attempt to trick users into approving fraudulent transactions (also known as MFA fatigue attacks). This is where passkeys provide an even stronger alternative, as they prevent authentication on fraudulent websites altogether.
Singapore banks are leading the way in phasing out SMS OTPs in favor of digital tokens. However, passkeys represent the next evolution in secure authentication, offering true phishing resistance and a seamless user experience.
Discover why banks in Singapore have to phase out OTPs for more secure digital tokens and learn why passkeys are a superior replace in banking security.
Read the full articleAlready read by 5,000+ enterprise security leaders.
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.