Vietnam Banks race to Passkeys after $744M Fraud Crisis [2026]

1. Introduction: Vietnam Passkeys#

Vietnam's banking and payments industry is undergoing a rapid transformation. In 2024 the State Bank of Vietnam (SBV) introduced Decision No. 2345/QD‑NHNN, a regulation that requires biometric authentication for high‑risk transactions starting July 1 2024. The mandate is a response to soaring online fraud: victims lost roughly $744 million in 2024. Multi‑factor authentication via SMS one‑time passwords (OTP) remains prevalent, but regulators determined that knowledge‑based codes were too easy to phish. The SBV is therefore pushing banks and e‑wallet providers toward passwordless, biometric‑backed authentication. Early signs suggest that the shift is already paying off: by mid‑2024 tens of millions of Vietnamese banking accounts were enrolled in biometric systems.

User sentiment is also evolving. A VinCSS report on Vietnamese banking apps found that biometrics are now the most commonly used authentication method for high‑risk transactions and that a majority of respondents rate them the most convenient. Despite this, roughly one in three respondents worry about their biometric data being stolen or faked. The report argues that these fears often confuse “biometrics as a password” with biometrics as a local unlock for a FIDO passkey. In the FIDO model a private key is stored locally and only unlocked by a biometric match, meaning the biometric never leaves the device. VinCSS’s overarching recommendation is to combine biometrics with FIDO2 passkeys, noting that passkeys are rapidly saturating the market as part of a mandatory compliance sprint.

2. The Rollout Tracker: Who is Live?#

Vietnamese financial institutions and payment services have reacted differently to the new mandate. Below is a snapshot of the major players as of late 2025.

2.1 Vietcombank Passkeys#

Status: Live

Vietcombank adopted biometric authentication for high‑risk transactions ahead of the July 2024 mandate.

• Among the first major banks to comply with Decision 2345
• Integrated real‑time fraud alerts alongside biometric verification

Biometric Update

2.2 Techcombank Passkeys#

Status: Live

Techcombank connected its banking apps directly to the national population database.

• Aligned its APIs with the government's QR‑code ID system to improve verification accuracy
• Issues flagged by customers include the need to update chip‑based ID data and device compatibility with biometric APIs

Techcombank Digital Banking

2.3 ACB (Asia Commercial Bank) Passkys#

Status: Live

ACB rolled out facial authentication in the ACB ONE app pursuant to SBV Decision 2345 and Circulars 17/2024 & 18/2024.

• The app matches a live face capture with biometric data stored in the Ministry of Public Security’s database before allowing online transactions

ID Techwire

2.4 Foreign Banks (HSBC, UOB)#

Status: Facing implementation challenges

Foreign banks have faced complexity adapting to the mandate.

• Banks that relied on legacy systems struggled to achieve full biometric coverage
• Integration with Vietnam's national population database required significant technical effort

DEV Community

2.5 MoMo, Viettel Money, ZaloPay, ShopeePay, VNPAY (e‑wallets)#

Status: Planned for 2026

Under SBV Circular 41/2025, e‑wallet providers must verify customers’ identity and biometric data in person or through approved remote procedures before activating wallets.

• The regulation applies from 2026
• As of March 31 2025, 47 providers were licensed

Biometric Update

2.6 VinCSS (passkey provider)#

Status: Live (hardware)

VinCSS launched the country’s first FIDO2 security keys.

• The VinCSS FIDO2® Touch 1 allows users to log in with a single touch
• Enables passwordless, strong multi‑factor authentication and eliminates the need for SMS OTPs

VinCSS product page

3. From Payment Fraud to regulatory Mandate#

3.1 Fraud and Phishing Crisis#

Vietnam’s digital economy has exploded in recent years, but so have fraud losses. In 2024 victims collectively lost approximately $744 million to online fraud. Attackers exploited weaknesses in SMS‑based OTP flows and launched voice‑bot phishing campaigns to trick users into revealing codes. The SBV recognized that Smart OTP - a soft token generated in the bank’s mobile app - is still a shared secret and therefore susceptible to phishing.

3.2 Decision No. 2345/QD‑NHNN#

In December 2023 the SBV issued Decision No. 2345/QD‑NHNN, which mandates biometric authentication for specific categories of transactions. The regulation came into effect on July 1 2024 and requires:

• First‑time mobile banking transactions - biometric verification must be used when a customer performs their first online transaction or uses a new device.
• High‑value transfers - transactions exceeding VND 10 million (~€375) or cumulative daily transfers over VND 20 million (~€750) also require biometric verification. Payments below these limits can still use OTPs.
• Approved biometric methods - acceptable methods include facial recognition, fingerprint and iris scans. The biometric data must match the information on the chip‑based ID card or be verified against Vietnam’s digital population database.

In practice this means that the bank’s identity check now combines possession (the chip ID card), inherence (a biometric) and - increasingly - a FIDO passkey bound to the device. Decision 2345 was followed by Circular 50/2024/TT-NHNN governing biometric processes, and by 2025 its scope expanded to corporate accounts. Institutions that fail to meet the deadlines risk suspension of services.

3.3 The 86 Million Account Purge: a cautionary Tale#

The scale of Vietnam's biometric enforcement is unprecedented. On September 1, 2025, the SBV deactivated over 86 million bank accounts - representing 43% of all accounts in the country (86M of 199M total) - for failing to complete biometric verification (Vietnam News, Human Rights Foundation).

The fallout has been severe:

• Foreigners locked out entirely: "Their app's AI can't recognise the faces of foreigners," reported one user on Reddit r/VietNam. Another thread with 220+ comments titled "What on earth is going on with banking for foreigners?" describes banks freezing accounts "at a whim" (Reddit). Expats abroad face an impossible choice: fly back to Vietnam or lose access to their funds.
• E-wallets abandoning foreigners: MoMo, Vietnam's largest e-wallet, effectively stopped working for foreigners after the biometric rules took effect. "It feels like foreigners are being forced out of these apps," complained one user.
• Deepfakes bypassing facial biometrics: Despite the draconian enforcement, fraudsters are already circumventing the system. In May 2025, Vietnamese authorities busted an AI-powered money laundering ring using deepfake face scans to bypass biometric verification, highlighting how AI deepfakes and mule accounts continue to fuel fraud losses.

This is precisely why Biometric Update recommends Vietnamese banks adopt FIDO passkeys: facial biometrics alone are not phishing-resistant. A passkey cryptographically binds authentication to the legitimate domain, making deepfake attacks irrelevant.

3.4 Digital ID and data cleanup initiatives#

Vietnam's digital transformation hinges on a national population database. Since 2021 the government has issued chip‑based ID cards that embed photographs, QR codes and digital signatures. Authorities are linking this database to banks and public agencies to streamline online services. To ensure the system's integrity the central bank is forcing banks to validate customer records against biometrics captured through chip IDs and the VNeID platform; more than 120 million verification requests have already been processed. Beginning January 1 2026 domestic customers must primarily present a chip‑based ID card or a Level 2 electronic ID for banking services. The measure aims to improve data accuracy and fraud prevention.

3.5 E‑wallet regulations#

Biometric rules extend beyond banks. Circular 41/2025 requires all e‑wallet providers to verify customers’ identity documents and biometric data before activating a wallet. Foreigners who cannot be physically present may complete verification through authorised third‑party channels. As of March 31 2025, Vietnam had licensed 47 e‑wallet providers, including MoMo, Viettel Money, ZaloPay, ShopeePay and VNPAY. The goal is to tie mobile payments tightly to the national digital identity infrastructure and eliminate anonymous wallets.

Circular 41/2025 also raises the monthly transaction limit for essential services (like electricity and water) to 300 million VND, facilitating higher-value digital payments.

4. Why APAC requires adapted Strategies: Device and Browser Reality#

4.1 Device Landscape in Vietnam#

Unlike Japan, where Windows desktops dominate professional environments, Vietnam’s financial services ecosystem is overwhelmingly mobile‑first. StatCounter data show that as of December 2025 Android accounted for roughly 78% of the mobile operating system market while iOS held ~21 %. By vendor the top devices were Apple (42.71 % share), Samsung (21.99 %), Oppo (13.56 %) and Xiaomi (10.37 %) data. This fragmentation means banks must support a wide range of Android OEMs with varying biometric sensors and browser implementations. It also suggests that cross‑device flows - for example using a phone’s biometric sensor to unlock a passkey for desktop login - will be critical because many consumers still access banking websites via desktop browsers.

4.2 Browser Considerations#

Passkeys rely on WebAuthn and CTAP2 support in browsers. On Android, Chrome and Samsung Internet now support passkeys, but OEM‑specific browsers may lag on API updates. iOS Safari and Chrome offer built‑in iCloud passkey sync, but Apple’s market share is lower than in Japan. Local browser Cốc Cốc (~4.4% share) also requires specific testing. Developers should test flows on older Android versions and less‑common browsers to ensure that passkey creation prompts appear correctly. They should also implement cross‑device mechanisms - such as QR‑code flows or Bluetooth proximity - to let users with only mobile passkeys sign into desktop sessions.

4.3 Back‑end and Network Policies#

Many Vietnamese enterprises operate in controlled networks with proxy servers and strict firewall rules. These policies can block FIDO metadata downloads or Google’s passkey attestation endpoints. Early deployments have run into issues where WebAuthn requests time out if metadata cannot be fetched. To mitigate this, banks should pre‑cache metadata or use offline attestation formats and ensure that their security policies allow outbound connections to FIDO infrastructure.

5. Implementation Considerations: The Failure Modes#

Real‑world deployments in Vietnam highlight several challenges.

1. Customer onboarding bottlenecks (The "NFC Wall"). The requirement to read the chip-based ID card (CCCD) via NFC has proven to be the single biggest friction point. Users frequently fail to scan because of thick phone cases, dirty chips, or, uniquely, placing the card on metal tables, which causes NFC interference. "Lỗi quét CCCD" (CCCD scan error) became a top search term in mid-2024.
2. The "10-Fail" Lockout Trap. Banks like Vietcombank have introduced strict anti-fraud rules where 10 consecutive biometric failures (e.g., FacePay errors) result in a feature lockout, requiring a branch visit to unlock. For users with aging phone sensors or poor lighting, this turns a "security feature" into a "denial of service."
3. Legacy system limitations. Foreign banks such as HSBC and UOB struggled because their core systems lacked integration with Vietnam’s biometric API. This resulted in incomplete coverage and temporary service disruptions. Banks should audit their authentication stacks and invest in modern identity platforms that support FIDO and biometric verification.
4. Verification errors. Early integrations with the national population database produced high rejection rates due to data mismatches. Banks that aligned their APIs with the government's QR‑code authentication service saw significant improvements in verification accuracy. This underscores the importance of meticulous data mapping and API testing.
5. User experience and accessibility. In the VinCSS user study, one in six users said that biometric scanning tools on banking apps were “not smooth”. Elderly customers overwhelmed service desks in late 2024 because they were unfamiliar with biometric technology. Products need fallback flows and clear instructions, and support for assistive technologies such as screen readers.
6. Fragmented hardware. Android devices vary widely in sensor quality and security chip availability. Some low‑end phones lack secure enclaves to store passkeys, forcing banks to fall back to server‑side biometrics or OTPs. Developers should implement device capability checks and provide alternatives such as hardware security keys (e.g., VinCSS FIDO2® Touch 1) for users with incompatible devices.
7. Foreigners systematically excluded. Current facial recognition systems are trained predominantly on Vietnamese faces. Multiple Reddit threads document foreigners being told the "AI can't recognise" their faces, forcing them to rely on branch visits - or worse, losing access entirely when abroad. Banks serving international customers must implement fallback authentication paths.
8. Deepfake vulnerability. Server-side facial biometrics are now being bypassed by AI-generated deepfakes. Vietnamese police have already busted money laundering rings using fake face scans. This is the core argument for passkeys: even if a deepfake fools a facial recognition camera, it cannot forge a cryptographic signature bound to a specific device and domain.

6. Strategic Recommendations#

1. Adopt passkeys to complement biometrics. Biometrics alone are not enough; they must unlock a cryptographic private key stored on the user’s device. Implement FIDO2 passkeys so that the biometric data never leaves the device and cannot be intercepted. Encourage users to upgrade from Smart OTP to passkeys by highlighting reduced friction and phishing resistance.

2. Integrate with the national ID infrastructure. Align your banking APIs with the government’s QR‑code authentication service to reduce verification errors. Ensure that your system can read chip‑based IDs via NFC and validate VNeID Level 2 credentials. Pre‑cache attestation metadata to operate in restricted network environments.

3. Educate customers. Communicate the differences between biometric verification and passkey unlocking. Provide clear instructions for updating chip‑based IDs, registering biometrics and adding passkeys. Proactively warn users about scams that exploit the biometric update process.

4. Offer hardware alternatives. Not all devices support on‑device passkeys. Support external authenticators such as security keys. The VinCSS FIDO2® Touch 1, for example, lets users authenticate with a simple touch and eliminates the need for SMS OTPs.

5. Plan for multi‑device and cross‑platform flows. Provide QR‑code or Bluetooth‑based cross‑device sign‑in so that users can authenticate on a desktop using a passkey stored on their phone. Test your flows across different Android OEMs and browsers.

6. Monitor performance and iterate. Track metrics such as authentication success rates, fraud rates and customer support load. Early adopters like Vietcombank have demonstrated that biometric adoption can reduce fraud and increase customer trust. Use these insights to refine your roll‑out strategy.

7. How Corbado can help you#

Corbado's adoption platform helps banks and fintechs deploy passkeys quickly and comply with Vietnam's new regulations. Our platform offers:

• Turn‑key passkey infrastructure. Easily add FIDO2/WebAuthn support to your existing apps with SDKs for web and mobile. Our servers handle attestation, device binding and key management, even in restricted network environments.
• Cross‑device UX components. Pre‑built components provide QR‑code and Bluetooth flows that let users sign in on desktops with a phone‑based passkey. We support Android, iOS and all major browsers.
• Regulatory alignment. Our team monitors local regulations and can help integrate with national ID systems to meet SBV requirements under Decision 2345 and Circular 50.
• 24/7 support and on‑site assistance. As with our Japan customers, Corbado provides hands‑on support during rollout to resolve edge cases and ensure a smooth migration to passkeys.