Japan FSA Passkeys: Push for Phishing-Resistant MFA (2026)

1. Introduction: Why the April 16, 2026 FSA page matters#

Japan’s April 16, 2026 FSA page matters because it publicly shifts the target from generic MFA to phishing-resistant authentication. The page names passkeys and PKI as preferred examples, rejects email and SMS OTP as sufficient protection against modern phishing and turns an industry-only compliance discussion into a consumer-facing market signal.

Japan’s April 16, 2026 FSA announcement looks modest at first glance. It is not a new law. It is not a direct enforcement action. It does not publish a fresh compliance deadline. Instead, it introduces a public campaign with downloadable leaflets and posters.

What the Financial Services Agency (FSA) did here is move the conversation from an industry/regulatory channel into the public domain. The regulator is no longer only telling banks, brokers and trade associations to strengthen authentication. It is now telling ordinary users that:

• password-only authentication is weak,
• email and SMS OTP are no longer enough,
• users should prefer phishing-resistant MFA, and
• passkeys and PKI authentication are the right direction.

That is a major change in tone. And in highly regulated industries like banking, tone often becomes implementation pressure long before the next formal rule text appears.

This public campaign also did not emerge out of nowhere. In its own June 2025 English briefing PDF, the FSA had already warned that ID/password-only authentication is vulnerable and that one-time passwords sent by email or SMS are not effective enough against phishing. Meanwhile, industry coverage in late 2025 described Japan’s market at 64 FIDO Japan Working Group organizations and 50+ passkey providers live or planned, indicating that deployment momentum was already real before the April 2026 public campaign (CNET Japan coverage). For a broader view of how Japanese banks, platforms and regulators have been moving on passwordless, see our passkeys in Japan overview.

2. What the FSA actually published on April 16, 2026#

The April 16 page is a coordinated public campaign package, not a single press note. It bundles 9 reusable assets (5 PDF leaflets and 4 promotional videos), aligns banks, securities groups and police around the same message and tells consumers that phishing-resistant MFA should replace reliance on passwords plus OTP for high-risk financial journeys.

The official page links 5 PDF leaflets, organized as an overview plus detailed versions of two themes (phishing-resistant MFA and phishing-email awareness):

• Overview (概要版)
• Phishing-resistant MFA, overview
• Phishing-resistant MFA, detailed
• Phishing-email awareness, overview
• Phishing-email awareness, detailed

Alongside the PDFs, the page promotes 4 promotional videos on the same two themes, produced in both drama and manga formats so the campaign can reach different age groups and reading contexts, not only policy readers.

The campaign is positioned as a joint effort by the FSA with:

• nationwide banking associations,
• shinkin banks,
• credit cooperatives,
• labor banks,
• securities industry groups, and
• the National Police Agency.

That breadth matters. This is not a niche securities-only warning. It is a coordinated message across Japan’s retail financial ecosystem.

2.1 The central policy message#

The key term used in the campaign is フィッシングに耐性のある多要素認証, meaning phishing-resistant multi-factor authentication.

The leaflets explain that legacy authentication has fallen behind the current threat model:

• passwords can be phished or reused,
• email / SMS OTP can be stolen in real time,
• malware can watch or manipulate the user session, and
• fake sites can mimic the real brand closely enough that visual inspection is not a reliable defense.

The campaign then presents two primary examples of stronger authentication:

1. Passkeys
2. PKI-based authentication

That second part is important. Japan is not framing this purely as “everyone must use passkeys.” The regulator is framing the desired outcome as phishing-resistant authentication, and passkeys are one of the clearest consumer-grade ways to get there.

To make that distinction concrete, the FSA’s framing implicitly separates authentication methods like this:

2.2 The campaign is also behavioral#

The materials do not only focus on authentication technology. They also tell users to:

• avoid logging in from links inside email or SMS,
• use bookmarks or official apps,
• distrust unfamiliar screens and unusual prompts,
• prefer official app stores, and
• be wary of strange browser instructions such as unexpected keyboard shortcuts.

In other words, the FSA is not pretending authentication technology alone solves the entire problem. It is pairing technical countermeasures with behavioral hygiene.

3. What is new here, and what is not#

The April 16 page is new because it changes the public framing, not because it creates a new standalone law. The real development is that Japan’s regulator now publicly explains why passkeys and PKI are better than password-plus-OTP flows, giving financial institutions stronger cover to redesign authentication around phishing resistance.

3.1 What is actually new#

The April 16 page is new in at least four ways:

3.1.1 Passkeys are now part of the regulator’s public vocabulary#

Many regulators talk about MFA in abstract terms. Japan’s FSA is doing something more concrete: it is telling the public that passkeys are a stronger defense against phishing and impersonation than older login patterns.

That matters because public naming changes product decisions. Once the regulator names passkeys publicly, financial institutions can justify investment more easily internally:

• compliance teams can cite the regulator,
• risk teams can connect passkeys directly to phishing loss reduction,
• product teams can position passkeys as aligned with official guidance rather than as an optional innovation project.

3.1.2 The FSA is publicly downgrading OTP#

This is not a subtle implication. The materials state that OTP delivered by email or SMS can still be defeated by:

• real-time phishing,
• man-in-the-middle interception, and
• malware-assisted theft.

That is stronger than a generic best-practice note saying OTP is “less secure.” It is the regulator telling the public that OTP-based MFA does not provide meaningful phishing resistance.

3.1.3 The message is cross-sector#

Japan is not limiting this to one vertical. Banks, brokers and other financial actors are all part of the same public signal. That increases the odds of broader ecosystem normalization:

• banks can train users to expect stronger login,
• brokers can make stronger authentication a default for high-risk actions,
• users will encounter similar language across institutions instead of contradictory explanations.

3.1.4 The FSA is educating the consumer directly#

This is the most important point.

There is a huge difference between:

• a regulator telling financial institutions what they should implement, and
• a regulator telling customers what secure authentication now looks like.

The second move reduces the political and UX risk of rollout. A bank or broker can now say: “This is not just our idea; this is the direction the regulator itself is promoting.”

3.2 What is not new#

The page does not itself create:

• a new standalone mandate,
• a new implementation deadline,
• a detailed technical specification for passkeys,
• a declaration that passkeys are the only acceptable technology, or
• a list of sanctions tied directly to this campaign.

This distinction matters because many readers will overstate the announcement as “Japan just mandated passkeys.” That is not precise enough.

The better reading is:

That is strategically important even if it is not a new rule by itself.

4. Why the FSA is right to focus on phishing-resistant MFA instead of generic MFA#

The FSA is right because generic MFA still leaves the main fraud path intact. Password plus OTP adds one more reusable secret, while phishing-resistant MFA changes the protocol so the fake site cannot complete authentication even when the user is tricked into trying.

4.1 OTP solves yesterday’s problem#

SMS and email OTP were designed to make credential replay harder. They work against some older attack patterns, but modern attackers do not need to replay a code hours later. They steal it in real time. This matters even more in a market where password reuse in Japan is still extremely high, meaning the first factor is frequently compromised before the OTP step even begins.

That is the central issue with real-time phishing:

1. A victim lands on a fake site.
2. The victim enters username and password.
3. The attacker forwards those credentials to the real site.
4. The real site requests an OTP.
5. The fake site asks the victim for the OTP.
6. The attacker immediately uses it to complete the real login.

In that workflow, the OTP does not stop the attacker. It simply becomes another secret the victim can be tricked into revealing.

4.2 Passkeys change the trust model#

Passkeys work differently because they are origin-bound. The credential can only be used on the legitimate site associated with the passkey’s relying party. The technical basis for this behavior sits in the W3C WebAuthn specification and the FIDO Alliance’s passkey documentation, both of which describe the site-bound challenge-response model that prevents a fake domain from reusing a credential created for the real one.

That means a fake domain cannot simply ask the user to “type the passkey” the way it asks for a password or OTP. There is nothing reusable to type, and the browser / operating system checks the site context before the authentication can proceed.

This is why passkeys are central to phishing-resistant authentication:

• there is no shared secret to re-enter,
• the user is not asked to manually transmit a reusable code,
• the private key never leaves the user device, and
• the authenticator is bound to the legitimate origin.

This is also why the April 16 campaign matters. The FSA is not only saying “use better MFA.” It is pointing toward authentication methods where the phishing site fails at the protocol layer instead of asking the user to detect the fraud manually.

4.3 PKI matters too#

Japan’s campaign also highlights PKI and explicitly mentions that My Number card credentials can be used in authentication contexts.

That is not accidental. Japan has a deeper institutional history with certificate-oriented identity models than many Western consumer markets. So the likely Japanese end-state is not “passkeys only.” It is closer to:

• passkeys for mainstream consumer login and step-up flows,
• PKI / certificate-based authentication for stronger assurance or public-sector-like identity cases,
• and a broader regulatory preference for phishing-resistant outcomes.

For product teams, that means the right strategic comparison is not “passkeys vs passwords.” It is more like:

• passkeys vs email/SMS OTP for consumer login,
• passkeys vs in-app soft tokens for banking UX,
• passkeys vs PKI for assurance and identity proofing layers.

5. Why April 16 matters even more in the context of Japan’s earlier regulatory direction#

April 16 matters because it converts a supervisory trend into a public norm. After the FSA spent 2025 warning that password-only and OTP-heavy authentication were too weak, the April 2026 campaign tells consumers directly what the replacement should look like: phishing-resistant MFA using passkeys, PKI or both.

By 2025 and early 2026, Japan’s financial sector was already moving toward stronger controls after phishing-related account compromise incidents in securities and other online financial services. The backdrop is a string of high-profile data breaches in Japan that have kept account takeover and credential theft on the regulatory agenda. In related FSA materials and later commentary around guideline changes, the regulator made a sharper distinction between:

• “some MFA”, and
• phishing-resistant MFA.

That difference is everything.

Generic MFA can still leave users vulnerable to:

• OTP theft,
• fake-site forwarding,
• push fatigue / approval abuse,
• compromised endpoints,
• weak recovery flows.

By contrast, phishing-resistant MFA explicitly tries to block the core fraud path rather than merely add one more hurdle. The April 16 campaign is therefore best seen as a public operationalization of a larger direction already forming in Japan:

• financial services should not merely add more friction,
• they should move to authentication methods that break phishing economics.

At a glance, the progression runs across four milestones in under a year:

With sources, the same progression reads:

• June 2025: the FSA’s English issue summary states that password-only authentication is weak and that email / SMS OTP are not effective enough against phishing.
• July 15, 2025: the JSDA draft guideline pushes phishing-resistant MFA for sensitive securities actions such as login, withdrawal and bank-account changes.
• Late 2025: market reporting describes 50+ passkey providers and 64 FIDO Japan Working Group organizations in Japan (CNET Japan).
• April 16, 2026: the FSA public campaign takes the same phishing-resistant message directly to consumers.

In that sense, the page is less “awareness marketing” than it looks. It is the public face of a deeper regulatory and ecosystem shift.

6. What this means for Japanese banks, brokers and fintechs#

Japanese financial institutions should treat the April 16 campaign as a raised minimum expectation for login, recovery and high-risk account actions. Once the regulator publicly says email and SMS OTP are not effective enough, weak fallback-heavy MFA becomes harder to defend from a fraud, product and supervisory perspective.

6.1 “MFA available” is no longer enough#

Offering SMS OTP as a fallback while marketing the experience as “secure MFA” is becoming harder to defend. The regulator’s public message now makes a more demanding distinction: phishing-resistant MFA should be the destination. Broader industry work on mandating MFA with passkeys points the same way.

That means organizations should evaluate:

• where SMS/email OTP still exist,
• which journeys are high risk,
• whether passkeys are optional or truly encouraged,
• how much dependency remains on phishable fallback methods.

6.2 High-risk journeys need special treatment#

The most sensitive journeys are not only login. In practice, institutions should review each phishable surface:

• login,
• payout / withdrawal,
• destination account change,
• recovery and device re-binding,
• profile and contact detail changes,
• API or aggregation access.

Many institutions still protect the login page more strongly than the account recovery path. That is backwards. Attackers will use the weakest route available.

6.3 Recovery becomes a strategic product problem#

Once phishing-resistant authentication becomes the benchmark, recovery becomes the hardest part of the design.

A passkey rollout can still fail operationally if recovery falls back to weak email flows, social engineering or support procedures that reintroduce phishable steps. Japan’s FSA campaign does not solve that design challenge, but it makes it impossible to ignore.

6.4 “Official access” UX should become part of product design#

One underappreciated detail from the leaflets is the push toward bookmarks and official apps. That suggests a broader product lesson:

• branding alone is not enough,
• login entry points matter,
• safe routing matters,
• anti-phishing UX is part of the authentication stack.

For financial institutions, that means:

• making app-based login paths prominent,
• reducing email-link dependency,
• clearly explaining where the official login starts,
• treating inbound link hygiene as part of fraud prevention.

6.5 Soft tokens are not the same as passkeys#

Some institutions will respond by strengthening app-based approval and calling the problem solved. That can improve security, but it is not equivalent to passkeys.

Why?

• Many proprietary soft-token flows still depend on the user distinguishing a real site from a fake one.
• Some flows can still be abused through real-time relay or approval manipulation.
• App-switching and code-handling add friction and confusion.

Passkeys matter because they reduce both phishing exposure and user effort.

6.6 The bar for competitors just moved#

Once the FSA starts educating consumers directly, laggards become more visible. A firm still relying on password + OTP may soon look outdated relative to peers that offer:

• passkeys,
• stronger device-bound authentication,
• or clearly branded, phishing-resistant login experiences.

That changes the competitive landscape, not only the compliance landscape.

Most of this is not new territory. The Enterprise Passkeys Guide walks step by step through assessment, stakeholder alignment, integration and testing for large-scale consumer deployments, and 10 Passkey Deployment Mistakes Banks Make compiles the recurring failure modes that rushed banking rollouts keep repeating. What the FSA campaign adds is urgency and public backing, not a new playbook.

7. What this means for passkeys specifically#

Japan’s April 16 campaign helps passkeys in three concrete ways: it frames passkeys as fraud controls rather than convenience features, it broadens the internal stakeholder case for deployment and it teaches consumers that passkeys are part of the secure financial login model the regulator now prefers.

7.1 It reframes passkeys as fraud control, not convenience#

Many consumer passkey rollouts are marketed as:

• easier sign-in,
• no passwords to remember,
• faster login.

The FSA’s framing is much sharper:

• passkeys are a defense against impersonation,
• passkeys help block phishing,
• passkeys reduce dependence on reusable secrets.

That is exactly the frame banks and brokers need internally. Security budgets are more easily approved for fraud reduction than for convenience alone.

7.2 It broadens the passkey audience inside financial institutions#

An authentication project usually has to win support from:

• product,
• fraud,
• security,
• compliance,
• legal,
• operations,
• and support.

The FSA page gives each of those groups a reason to care:

• fraud sees phishing reduction,
• security sees origin-bound cryptography,
• compliance sees regulator alignment,
• operations sees less OTP friction,
• product sees a stronger consumer story.

7.3 It helps normalize passkeys for ordinary users#

This may be the most durable effect.

When a national regulator, financial associations and police all present passkeys as a recommended defense, user perception changes. The product team no longer has to introduce passkeys as a strange new feature. They can introduce them as the security method the ecosystem is converging on.

That matters because rollout success often depends less on cryptography than on whether users trust the new flow enough to adopt it.

7.4 It extends the passkey audience beyond tech-forward segments#

The FSA campaign does not only land in banking apps used by tech-forward consumers. It covers securities accounts, labor banks, shinkin banks and credit cooperatives, the parts of Japan’s financial system that older and less tech-forward customers rely on day to day. That is strategically important for passkeys. Once those customers encounter passkeys through their broker, labor bank or local cooperative, passkey familiarity spreads well beyond the early-adopter segment and starts to normalize across the full customer base. For consumer passkey adoption in Japan, that is the kind of tailwind no pure marketing budget can buy.

But it cuts both ways. A wider demographic base also means a much wider variety of devices, OS versions, in-app browsers and credential manager behaviors than a tech-forward rollout would touch. That is exactly where native app passkey errors become a production-grade concern, not an edge case. Banks and brokers responding to the FSA signal should plan for device and app-environment diversity from day one, not discover it during post-mandate support surges.

8. What Japan’s approach teaches other countries#

Japan is becoming a useful case study because it combines supervision, public education and ecosystem deployment in sequence. Other markets often revise guidance without explaining the new security model to users, which slows adoption and makes stronger authentication look like isolated product friction instead of a system-wide upgrade.

8.1 Public campaigns can accelerate technical migration#

Many regulators revise guidance but stop short of public education. Japan is showing a different pattern:

1. fraud pressure rises,
2. supervisory direction hardens,
3. the regulator starts naming phishing-resistant methods publicly,
4. ecosystem actors gain cover to roll them out faster.

That sequence can reduce rollout friction in a way pure policy text often cannot.

8.2 The target should be phishing resistance, not OTP replacement alone#

Some countries focus too narrowly on “replace SMS OTP.” That helps, but it is incomplete.

Japan’s campaign is better framed because it asks the more fundamental question:

That is the right test.

8.3 Consumer authentication may end up hybrid#

Japan’s simultaneous emphasis on passkeys and PKI suggests a broader truth many markets will rediscover:

• passkeys are excellent for mass consumer adoption,
• PKI remains important for high-assurance identity,
• the strongest ecosystems will combine both instead of forcing one technology to do everything.

That is especially relevant in regulated sectors with national digital identity programs.

9. The practical roadmap for teams responding to this signal#

The right response to the April 16 signal is staged migration, not a rushed replacement program. Teams should first map phishable journeys, then decide where passkeys fit immediately, where PKI or stronger identity binding is still required and how recovery can be redesigned without recreating weak phishing-friendly exceptions.

9.1 Step 1: map all phishable authentication surfaces#

Start with:

• login,
• recovery,
• account changes,
• transaction confirmation,
• linked account changes,
• email-link entry points,
• call-center override processes.

9.2 Step 2: identify where passkeys fit immediately#

Passkeys are often the clearest win for:

• retail login,
• frequent reauthentication,
• first-party app/web journeys,
• consumer browser sessions.

9.3 Step 3: decide where PKI or stronger identity binding is still needed#

Some flows may need:

• certificate-backed identity proof,
• national ID binding,
• stronger assurance around sensitive changes,
• hardware or organizational controls beyond consumer passkeys.

9.4 Step 4: redesign recovery before forcing adoption#

Do not launch strong authentication without designing strong recovery. Otherwise the organization will just recreate phishable workarounds through support and exceptions.

9.5 Step 5: teach users how official access works#

The FSA’s “use bookmarks / use official apps” message should become part of onboarding and support:

• show the safe route,
• explain why login links are risky,
• make the official access path easy to remember,
• reduce dependence on insecure convenience shortcuts.

10. Conclusion#

April 16, 2026 was not the day Japan legally mandated passkeys. It was the day the FSA made phishing-resistant authentication a public expectation, publicly downgraded OTP-based security and gave banks, brokers and fintechs a much clearer signal that the long-term destination is passkeys, PKI and other non-phishable login models.

Japan’s April 16, 2026 FSA page should not be misread as “Japan legally mandated passkeys today.” That is not what happened.

But it would be equally wrong to dismiss it as a lightweight awareness page.

What happened is more strategically important:

• the regulator publicly told consumers that password-only and OTP-based flows are no longer enough,
• it named passkeys and PKI as examples of stronger authentication,
• it aligned that message across financial associations and police,
• and it pushed the market conversation from generic MFA toward phishing-resistant authentication.

That is exactly the kind of signal that changes roadmap priorities in financial services.

For Japan, this strengthens the case for wider passkey deployment across banks, brokers and fintechs. For the rest of the world, it is a clear example of how a regulator can do more than set rules: it can reshape the authentication narrative itself.

If there is one takeaway, it is this:

The future state is not “more MFA.” The future state is phishing-resistant authentication. Japan’s FSA is now saying that out loud.

About Corbado#

Japan’s FSA has publicly downgraded password-plus-OTP, but regulators naming passkeys is only half the work. Banks and brokers still have to retire phishable fallbacks on fragmented device fleets without locking users out.

Corbado is the passkey analytics platform for enterprise CIAM teams. It adds passkey analytics and rollout controls on top of your existing IDP, so institutions meeting the FSA’s phishing-resistant MFA bar can phase out SMS and email OTP with audit-grade visibility and device-level kill switches, not blind mandates.

See how Japanese financial institutions can roll out phishing-resistant MFA without terminal lockouts. → Talk to a passkey expert

FAQ#

Did Japan's FSA mandate passkeys on April 16, 2026?#

No. The April 16, 2026 page is a public awareness campaign, not a standalone rule text. What makes it important is that the Financial Services Agency publicly and explicitly promoted phishing-resistant multi-factor authentication, highlighted passkeys and PKI as examples, and aligned that message with banks, securities firms and the National Police Agency.

Why does the FSA say email and SMS OTP are no longer enough?#

The campaign materials explain that OTPs sent by email or SMS can still be bypassed through real-time phishing, man-in-the-middle attacks and malware. In other words, adding a code is not enough if the attacker can trick the user into entering it on a fake site or steal it from the endpoint.

Are passkeys the only phishing-resistant option accepted in Japan's financial sector?#

No. The FSA campaign materials present passkeys and PKI-based authentication as the two main examples of phishing-resistant MFA. That means passkeys are strongly favored, but the broader regulatory direction is toward phishing-resistant authentication outcomes, not a single mandatory consumer technology.

Why is April 16, 2026 important if Japan's supervisory direction shifted earlier?#

Because it marks a shift from regulator-to-industry signaling to regulator-to-public signaling. Once the FSA starts telling consumers directly that passkeys and PKI protect them better than password plus OTP, Japanese banks and brokers gain stronger cover to redesign customer authentication around phishing-resistant methods.