The Bangko Sentral ng Pilipinas (BSP) has set a June 25, 2026 deadline for banks and financial institutions to adopt stronger authentication systems under the Anti-Financial Account Scamming Act (AFASA).
The directive requires organizations to phase out password-only logins and transition to more secure, phishing-resistant methods such as passwordless authentication based on FIDO (Fast Identity Online) standards.
The regulation follows a rise in online fraud and identity-related scams in the Philippines, which have increased by 35 percent over the past two years. Globally, the exposure of billions of passwords in recent breaches has further highlighted the limitations of traditional credentials.
To comply with the updated rules, financial institutions and regulated entities will need to implement systems that combine fraud management with robust identity verification. This includes the use of passkeys, physical security tokens, and other credentialing solutions that reduce reliance on easily compromised passwords and one-time passcodes.
Technology providers, including HID, have begun offering solutions tailored to Philippine enterprises preparing for the transition. HID recently introduced an Enterprise Passkey Management (EPM) platform designed for large-scale credential deployment and lifecycle management.
It also rolled out updated hardware credentials — such as Crescendo Keys, Crescendo Cards, and Omnikey readers—that integrate with identity platforms like Microsoft Entra ID.
Some of these new devices also combine physical access control with digital authentication, a feature that could help institutions manage security requirements across both workplace facilities and online systems.
“Passwordless authentication is no longer optional — it is now a regulatory requirement in the Philippines,” said Sean Dyon, vice president & head of the authentication business unit at HID.
“Our next-generation FIDO portfolio gives Philippine enterprises the hardware diversity and centralized management capabilities needed to deploy and manage passkeys at scale, while reducing reliance on phishable credentials like passwords and OTPs to enhance organizations’ overall cybersecurity posture.”
