Setting a new standard for mobile banking security across APAC
Industry
Banking / Financial services
Size
10K+
Challenge
A Tier 1 commercial bank had customers relying on SMS-based OTPs and passwords, leaving them exposed to phishing, SIM swapping, and credential theft, with measurable costs in fraud losses and support overhead.
Solution
1Kosmos deployed FIDO2 passkeys across the bank’s mobile banking platform, replacing SMS OTPs with biometric authentication. Passkeys are stored locally on users' devices and never transmitted across networks, eliminating the vulnerabilities of legacy authentication.
First in the Philippines
The client became the first financial institution in the Philippines to offer next-generation MFA, setting a new benchmark for mobile banking security.
SMS OTPs were previously relied on for transaction approvals, which created three growing problems: high telecom delivery costs, user friction from SMS network delays, and increasing exposure to SIM-swapping attacks. Transitioning to 1Kosmos also positioned the client to meet stringent digital identity regulations while fully modernizing its mobile banking experience.
Authentication that can't be phished
To address these challenges, 1Kosmos FIDO2 mobile SDK was embedded into the client's existing banking application, transforming each user's smartphone into a secure biometric authenticator.
Passkeys change the underlying security architecture in three ways:
No Shared Secrets. Cryptographic credentials are generated and stored locally in the device's secure enclave, never transmitted across networks or held on centralized servers
No Attack Surface. With no password to steal and no SMS code to intercept, the architecture neutralizes credential stuffing, phishing, and SIM-swapping attacks entirely
Device-Native Biometrics. Authentication relies on local device biometrics such as Apple FaceID or Android fingerprint scanning; biometric data never leaves the user's phone
1 Million transactions. Zero passwords.
For high-volume consumer banking, implementation strategy is as critical as the technology itself. Rather than forcing an abrupt transition, the bank executed a phased rollout.
The 1Kosmos mobile SDK bound each user's device to their banking profile on first login, from which point users were onboarded to passwordless transaction approvals. The platform quickly reached over 1 million financial transactions across 100,000 users post-rollout (April 2026).
Tangible ROI
The results were immediate across both security and operations.
Customers now approve transactions in seconds using familiar biometrics, eliminating the friction and delays of waiting for SMS codes. By moving off legacy authentication entirely, the bank is also eliminating the telecom costs associated with delivering millions of SMS OTPs each year.
A blueprint for APAC banking
This deployment demonstrates the scalability of the FIDO2 mobile SDK in high-volume, highly regulated environments. As financial institutions across APAC face growing regulatory pressure to move beyond OTPs, these results offer a replicable, high-ROI model for the region.
See what this looks like for your institution
The Chinabank deployment is replicable. If you're evaluating FIDO2 passkeys for high-volume consumer banking, we can walk you through the architecture, the rollout approach, and the numbers.
