5 min

BSP Circular 1213: What It Means for Authentication

Written by

Greg Storm

Published on

November 26, 2025

The Bangko Sentral ng Pilipinas (BSP) has issued Circular No. 1213, a formal update to its IT Risk Management Framework that places new emphasis on the authentication mechanisms used by regulated entities. For Philippine banks, e-money issuers, and other BSP-supervised institutions, the circular is more than an update, it’s a realignment with global expectations for customer identity assurance in digital environments.

Among its most consequential requirements is the shift toward multi-factor authentication (MFA) that is both phishing-resistant and cryptographically verifiable. This marks a clear step away from legacy methods like OTPs and passwords, and toward standards-aligned protocols such as FIDO2, WebAuthn, and device-based authentication.

TLDR

BSP Circular 1213 introduces stricter authentication requirements for regulated financial institutions in the Philippines
Multi-factor authentication must be phishing-resistant, cryptographically verifiable, and avoid reliance on OTPs or passwords
Authentication must ensure transaction integrity, dynamic linking, and strong auditability
Passkeys provide a modern alternative to legacy 2FA, using biometric verification and public key cryptography
Passkeys+ extends this model with cryptographic device binding, enabling both user and device verification
This approach aligns with global standards like FIDO2, NIST 800-63B, and PSD2/SCA
Regulated entities adopting passkeys or Passkeys+ can meet compliance while improving user experience and reducing fraud

Why authentication is central to Circular 1213

The BSP’s intention is clear: the rising frequency and sophistication of account takeover (ATO), credential phishing, and SIM-swapping attacks demands a more resilient approach to user identity. Circular 1213 reflects this urgency by setting new expectations for:

Digital onboarding and customer login
Transaction authorization, especially for high-risk activities
Device and session management across platforms
Ongoing identity proofing and non-repudiation

Section 5.3.3 of the circular lays out the minimum standards for authentication. It explicitly states that regulated entities must implement MFA that is resistant to phishing and replay attacks. The use of “single-factor authentication,” such as passwords or OTPs sent via SMS, is no longer sufficient, even when paired with other weak mechanisms.

Additionally, the circular requires financial institutions to establish controls that ensure transaction integrity, link the authentication directly to the action being authorized, and retain verifiable, audit-friendly records. These are also core tenets of modern frameworks like PSD2’s Strong Customer Authentication (SCA) rules and the U.S. NIST SP 800-63B identity guidelines.

Source:
BSP Circular 1213 – https://www.bsp.gov.ph/Regulations/Published%20Issuances/Images/Circular_1213.pdf

Legacy methods don’t meet the new bar

While many institutions have long relied on OTPs, authenticator apps, or push notifications, these tools no longer satisfy regulatory or technical expectations.

OTPs, especially via SMS, are vulnerable to phishing, SIM-swap attacks, and malware interception. Push-based systems offer better UX but often lack transaction linkage, attestation, or secure audit trails. Even app-based authenticators can fall short if they rely solely on knowledge factors and don’t cryptographically bind the device.

This mismatch between the tools in use and the controls now required isn’t just a compliance issue—it’s an operational and reputational risk. As seen in other markets, regulators are increasingly willing to act when financial institutions rely on outdated authentication that fails to protect end users.

Related global frameworks:

EBA Guidelines on ICT and Security Risk Management: eba.europa.eu
NIST SP 800-63B: pages.nist.gov
FIDO Alliance Standards Overview: fidoalliance.org

Where passkeys, and Passkeys+ fit in

Passkeys, based on the FIDO2 and WebAuthn standards, offer a modern solution. They eliminate passwords entirely, using a public-private key pair stored securely on the user’s device, combined with biometric verification. Because the private key never leaves the device and is never shared, passkeys are inherently resistant to phishing and credential theft.

Passkeys satisfy many, but not all, of the controls outlined in BSP 1213. For example, they verify the user securely and locally, but they may not offer full visibility into device trust, especially when passkeys are synced across multiple devices via a platform authenticator (e.g., iCloud Keychain, Google Password Manager).

This is where Passkeys+, an emerging architecture built around passkeys with additional device attestation, becomes relevant.

Passkeys+ introduces a second layer: cryptographic device binding. This ensures that not only is the user verified, but the device they’re using is recognized, registered, and provably secure. This enables financial institutions to satisfy two critical requirements simultaneously:

Verifying the user via biometric passkey
Verifying the device via a trusted attestation key (e.g., generated and bound during enrollment)

Solutions that follow this model are capable of:

Performing true multi-factor authentication, even without passwords or OTPs
Enabling transaction binding through cryptographic signatures
Supporting auditable logs of login and authorization events
Enabling secure onboarding of new or recovered devices, without resetting credentials

Download the Passkeys+ Whitepaper here

Implications for implementation

BSP’s updated framework encourages institutions to treat authentication not as a single event, but as a continuous posture of assurance. That includes how users log in, authorize payments, respond to 3DS challenges, and switch between app and browser contexts.

The model enabled by Passkeys+ allows a single credential to span these environments securely, using cryptographic assertions that can be verified in real time by the relying party. Importantly, this approach works across platforms—not just in apps, but in browser-based flows where phishing and redirection risks are highest.

Many of the performance tradeoffs institutions once faced—higher friction, lower success rates, costly OTP infrastructure—are no longer necessary. The technical frameworks now exist to meet high security standards and deliver a smoother user experience at the same time.

Final thoughts

BSP Circular 1213 represents a meaningful step forward for digital trust in the Philippines. It brings national expectations in line with global authentication standards and signals that convenience alone is no longer an acceptable reason to compromise security.

While no single technology solves every problem, modern authentication tools—particularly passkeys and enhanced models like Passkeys+—give regulated entities a credible, standards-aligned path to compliance. More importantly, they offer a foundation that is resilient, user-friendly, and future-proof.

As implementation deadlines loom and audits begin, the institutions that act early will be the ones best positioned to avoid risk and deliver meaningful improvements to both security and user experience.

Learn more about how Ideem can help your team prepare for the BSP Circular here

Resources and References

BSP Circular 1213 (June 2025): https://www.bsp.gov.ph/Regulations/Published%20Issuances/Images/Circular_1213.pdf
FIDO Alliance: https://fidoalliance.org
NIST SP 800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html
EBA ICT Guidelines: https://www.eba.europa.eu
Gartner IAM Trends: (Available to subscribers)‍
FBI IC3 Annual Report (2023): https://www.ic3.gov/

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.