Financial regulators are ordering banks to discontinue SMS‑based one‑time passwords and to adopt in‑app tokens and biometric approvals for electronic transactions. The shift aims to strengthen security, but it also raises questions about the relative safety of facial recognition, fingerprint scans, and traditional PINs.
Two common authentication models coexist on smartphones: one relies on facial recognition combined with a PIN, while the other uses a fingerprint sensor together with a PIN. Both methods are marketed as more convenient than memorized passwords, yet their legal and privacy implications differ markedly.
Technically, biometric systems such as Face ID and fingerprint scanners offer high resistance to spoofing. Facial recognition can operate despite wet or dry hands, and facial features cannot be lifted from surfaces as easily as fingerprints. Nevertheless, the strength of these systems does not automatically translate into constitutional safeguards.
In the United States, courts have generally treated compelled biometric unlocking as the production of physical evidence, comparable to providing a fingerprint or DNA sample. By contrast, forcing a suspect to disclose a memorized PIN or password is viewed as testimonial and therefore protected against self‑incrimination.
Philippine jurisprudence follows a similar distinction. The Supreme Court has ruled that compelling a person to provide physical evidence, such as a fingerprint, does not invoke constitutional protection, while requiring the recollection and entry of a PIN is considered a testimonial act that requires a court order.
Legal scholars argue that biometric data should receive the same level of protection as knowledge‑based credentials because it grants access to extensive personal information stored on devices and servers. The current split between “what you are” and “what you know” may leave biometric data vulnerable to compulsory disclosure.
Unlike passwords, biometric traits are permanent and cannot be changed if compromised. A breach of government, banking, or payment‑service databases that store facial or fingerprint data could expose individuals to long‑term identity theft, far beyond the risk of a forgotten password.
Bank branches increasingly require customers to provide a thumbprint in addition to identification documents and signatures. This practice shifts the burden of fraud proof onto the account holder, as the biometric capture is intended to verify that the person present is the legitimate owner.
The central bank’s directive to phase out SMS OTPs reflects a broader regulatory push toward biometric authentication. While the move may reduce phishing and SIM‑swap attacks, it also compels consumers to adopt security methods that lack explicit constitutional protection.
Regulators must consider whether mandating biometric verification undermines legal safeguards that currently protect PINs and passwords. The question arises whether a bank’s decision to accept a biometric transaction over a password‑based one will affect the outcome of fraud investigations.
As biometric technologies become integral to banking, travel, and personal devices, the balance between convenience, security, and privacy is being renegotiated. Policymakers face the challenge of aligning modern authentication practices with constitutional rights designed for a pre‑digital era.