--- url: 'https://www.corbado.com/blog/vietnam-passkeys-overview' title: 'Vietnam Banks race to Passkeys after $744M Fraud Crisis [2026]' description: 'Inside Vietnam''s Passkeys: SBV mandates biometric authentication after $744M in fraud losses. Bank rollout status and enterprise lessons.' lang: 'en' author: 'Vincent Delitz' date: '2026-01-08T13:04:29.894Z' lastModified: '2026-03-25T10:01:32.306Z' keywords: 'passkeys Vietnam, Vietnam biometric banking, Decision 2345 SBV, FIDO authentication Vietnam, Vietnam banking security regulations, Vietcombank passkey, Techcombank passkey, Vietnamese Android passkeys, phishing resistant MFA Vietnam' category: 'Passkeys Strategy' --- # Vietnam Banks race to Passkeys after $744M Fraud Crisis [2026] ## 1. Introduction: Vietnam Passkeys Vietnam's [banking](https://www.corbado.com/passkeys-for-banking) and [payments](https://www.corbado.com/passkeys-for-payment) industry is undergoing a rapid transformation. In 2024 the [State Bank of Vietnam](https://www.corbado.com/blog/vietnam-banking-biometrics) ([SBV](https://www.sbv.gov.vn/)) introduced [Decision No. 2345/QD‑NHNN](https://english.luatvietnam.vn/decision-no-2345-qd-nhnn-dated-december-18-2023-of-the-state-bank-of-vietnam-on-measures-for-safety-and-security-in-online-payment-and-bank-c-285123-doc1.html), a regulation that requires [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) for high‑risk transactions starting July 1 2024. The mandate is a response to soaring online fraud: victims lost roughly $744 million in 2024. Multi‑factor authentication via SMS one‑time passwords (OTP) remains prevalent, but regulators determined that knowledge‑based codes were too easy to phish. The [SBV](https://www.sbv.gov.vn/) is therefore pushing banks and e‑[wallet](https://www.corbado.com/blog/digital-wallet-assurance) providers toward passwordless, biometric‑backed authentication. Early signs suggest that the shift is already paying off: by mid‑2024 tens of millions of Vietnamese [banking](https://www.corbado.com/passkeys-for-banking) accounts were enrolled in biometric systems. User sentiment is also evolving. A VinCSS report on Vietnamese [banking](https://www.corbado.com/passkeys-for-banking) apps found that biometrics are now the most commonly used authentication method for high‑risk transactions and that a majority of respondents rate them the most convenient. Despite this, roughly one in three respondents worry about their biometric data being stolen or faked. The report argues that these fears often confuse “biometrics as a password” with biometrics as a local unlock for a FIDO passkey. In the FIDO model a private key is stored locally and only unlocked by a biometric match, meaning the biometric never leaves the device. VinCSS’s overarching recommendation is to [combine biometrics with FIDO2 passkeys](https://blog.vincss.net/stories/vietnamese-unicorn-chooses-vincss-passwordless-fido2/), noting that passkeys are rapidly saturating the market as part of a mandatory compliance sprint. ## Key Facts - **86 million bank accounts** (43% of all accounts) deactivated for failing biometric verification in September 2025 - **$744 million lost** to online fraud in 2024, driving the regulatory crackdown - **Circular 50/2024/TT-NHNN** requires PAD/liveness detection certified by **FIDO-accredited labs** - **Foreigners locked out**: Banking apps' AI "can't recognise the faces of foreigners" - per user reports - **E-wallets** face new biometric mandates from **Jan 1, 2026** (Circular 41/2025) ## 2. The Rollout Tracker: Who is Live? Vietnamese financial institutions and [payment](https://www.corbado.com/passkeys-for-payment) services have reacted differently to the new mandate. Below is a snapshot of the major players as of late 2025. ### 2.1 Vietcombank Passkeys **Status:** Live Vietcombank adopted [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) for high‑risk transactions ahead of the July 2024 mandate. - Among the first major banks to comply with Decision 2345 - Integrated real‑time fraud alerts alongside biometric verification [Biometric Update](https://www.biometricupdate.com/202407/vietnams-digital-identity-transformation-taking-shape) ### 2.2 Techcombank Passkeys **Status:** Live Techcombank connected its banking apps directly to the national population database. - Aligned its APIs with the [government's](https://www.corbado.com/passkeys-for-public-sector) QR‑code ID system to improve verification accuracy - Issues flagged by customers include the need to update chip‑based ID data and device compatibility with biometric APIs [Techcombank Digital Banking](https://techcombank.com/) ### 2.3 ACB (Asia Commercial Bank) Passkys **Status:** Live ACB rolled out facial authentication in the ACB ONE app pursuant to [SBV](https://www.sbv.gov.vn/) Decision 2345 and Circulars 17/2024 & 18/2024. - The app matches a live face capture with biometric data stored in the Ministry of Public Security’s database before allowing online transactions [ID Techwire](https://idtechwire.com/vietnam-tightens-id-rules-for-banking-pushing-customers-toward-chip-ids-and-eid/) ### 2.4 Foreign Banks (HSBC, UOB) **Status:** Facing implementation challenges Foreign banks have faced complexity adapting to the mandate. - Banks that relied on legacy systems struggled to achieve full biometric coverage - Integration with Vietnam's national population database required significant technical effort [DEV Community](https://dev.to/corbado/vietnams-biometric-verification-mandate-key-regulatory-impact-and-opportunities-for-banks--4cgn) ### 2.5 MoMo, Viettel Money, ZaloPay, ShopeePay, VNPAY (e‑wallets) **Status:** Planned for 2026 Under [SBV](https://www.sbv.gov.vn/) [Circular 41/2025](https://english.luatvietnam.vn/circular-no-41-2025-tt-nhnn-dated-november-05-2025-of-the-state-bank-of-vietnam-amending-and-supplementing-a-number-of-articles-of-circular-no-40-2-417886-doc1.html), e‑[wallet](https://www.corbado.com/blog/digital-wallet-assurance) providers must verify customers’ identity and biometric data in person or through approved remote procedures before activating [wallets](https://www.corbado.com/blog/digital-wallet-assurance). - The regulation applies from 2026 - As of March 31 2025, 47 providers were licensed [Biometric Update](https://www.biometricupdate.com/202511/digital-wallets-integrate-biometrics-in-india-vietnam-as-taiwan-rolls-out-pocs) ### 2.6 VinCSS (passkey provider) **Status:** Live (hardware) VinCSS launched the country’s first [FIDO2](https://www.corbado.com/glossary/fido2) security keys. - The VinCSS [FIDO2](https://www.corbado.com/glossary/fido2)® Touch 1 allows users to log in with a single touch - Enables passwordless, strong multi‑factor authentication and eliminates the need for SMS OTPs [VinCSS product page](https://vincss.net/product/touch1/) ## 3. From Payment Fraud to regulatory Mandate ### 3.1 Fraud and Phishing Crisis Vietnam’s digital economy has exploded in recent years, but so have fraud losses. In 2024 victims collectively lost approximately [$744 million](https://vietnamnet.vn/en/vietnam-loses-744-million-to-online-scams-in-2024-2352907.html) to online fraud. Attackers exploited weaknesses in SMS‑based OTP flows and launched voice‑bot [phishing](https://www.corbado.com/glossary/phishing) campaigns to trick users into revealing codes. The [SBV](https://www.sbv.gov.vn/) recognized that Smart OTP - a soft token generated in the bank’s mobile app - is still a shared secret and therefore susceptible to [phishing](https://www.corbado.com/glossary/phishing). ### 3.2 Decision No. 2345/QD‑NHNN In December 2023 the [SBV](https://www.sbv.gov.vn/) issued [Decision No. 2345/QD‑NHNN](https://english.luatvietnam.vn/decision-no-2345-qd-nhnn-dated-december-18-2023-of-the-state-bank-of-vietnam-on-measures-for-safety-and-security-in-online-payment-and-bank-c-285123-doc1.html), which mandates [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) for specific categories of transactions. The regulation came into effect on July 1 2024 and requires: - **First‑time mobile banking transactions** - biometric verification must be used when a customer performs their first online transaction or uses a new device. - **High‑value transfers** - transactions exceeding VND 10 million (\~€375) or cumulative daily transfers over VND 20 million (\~€750) also require biometric verification. [Payments](https://www.corbado.com/passkeys-for-payment) below these limits can still use OTPs. - **Approved biometric methods** - acceptable methods include facial recognition, fingerprint and iris scans. The biometric data must match the information on the chip‑based ID card or be verified against Vietnam’s digital population database. > "Any FIDO authentication solutions... must be certified by an organization recognized by > the [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance)." > > _Circular 50/2024/TT-NHNN_ In practice this means that the bank’s identity check now combines possession (the chip ID card), inherence (a biometric) and - increasingly - a FIDO passkey bound to the device. Decision 2345 was followed by [Circular 50/2024/TT-NHNN](https://english.luatvietnam.vn/circular-no-50-2024-tt-nhnn-dated-october-31-2024-of-the-state-bank-of-vietnam-prescribing-safety-and-security-for-provision-of-online-banking-s-299797-doc1.html) governing biometric processes, and by 2025 its scope expanded to corporate accounts. Institutions that fail to meet the deadlines risk suspension of services. ### 3.3 The 86 Million Account Purge: a cautionary Tale The scale of Vietnam's biometric enforcement is unprecedented. On **September 1, 2025**, the SBV deactivated over **86 million bank accounts** - representing **43% of all accounts in the country** (86M of 199M total) - for failing to complete biometric verification ([Vietnam News](https://vietnamnews.vn/economy/1721534/more-than-86-million-bank-accounts-to-be-terminated-from-september-1.html), [Human Rights Foundation](https://hrf.org/latest/financial-freedom-report-91/)). The fallout has been severe: - **Foreigners locked out entirely:** "Their app's AI can't recognise the faces of foreigners," reported one user on [Reddit r/VietNam](https://www.reddit.com/r/VietNam/comments/1i9beyq/facial_recognition_issues_for_foreigners_on/). Another thread with 220+ comments titled "What on earth is going on with banking for foreigners?" describes banks freezing accounts "at a whim" ([Reddit](https://www.reddit.com/r/VietNam/comments/1kefbct/what_on_earth_is_going_on_with_banking_for/)). Expats abroad face an impossible choice: fly back to Vietnam or lose access to their funds. - **E-wallets abandoning foreigners:** MoMo, Vietnam's largest e-[wallet](https://www.corbado.com/blog/digital-wallet-assurance), effectively stopped working for foreigners after the biometric rules took effect. "It feels like foreigners are being forced out of these apps," [complained one user](https://www.reddit.com/r/VietNam/comments/1g8hx0r/so_momo_wont_work_for_foreigners_anymore/). - **Deepfakes bypassing facial biometrics:** Despite the draconian enforcement, fraudsters are already circumventing the system. In May 2025, Vietnamese authorities busted an [AI-powered money laundering ring using deepfake face scans](https://idtechwire.com/vietnam-busts-ai-powered-money-laundering-ring-using-fake-face-scans/) to bypass biometric verification, highlighting how AI deepfakes and mule accounts continue to fuel fraud losses. This is precisely why [Biometric Update recommends](https://www.biometricupdate.com/202509/to-build-trust-in-biometrics-vietnam-banks-should-adopt-fido-passkeys-report) Vietnamese banks adopt **FIDO passkeys**: facial biometrics alone are not [phishing](https://www.corbado.com/glossary/phishing)-resistant. A passkey cryptographically binds authentication to the legitimate domain, making deepfake attacks irrelevant. ### 3.4 Digital ID and data cleanup initiatives Vietnam's digital transformation hinges on a national population database. Since 2021 the [government](https://www.corbado.com/passkeys-for-public-sector) has issued chip‑based ID cards that embed photographs, QR codes and digital signatures. Authorities are linking this database to banks and public agencies to streamline online services. To ensure the system's integrity the central bank is forcing banks to validate customer records against biometrics captured through chip IDs and the VNeID platform; more than 120 million verification requests have already been processed. Beginning January 1 2026 domestic customers must primarily present a chip‑based ID card or a Level 2 electronic ID for banking services. The measure aims to improve data accuracy and fraud prevention. ### 3.5 E‑wallet regulations Biometric rules extend beyond banks. [Circular 41/2025](https://english.luatvietnam.vn/circular-no-41-2025-tt-nhnn-dated-november-05-2025-of-the-state-bank-of-vietnam-amending-and-supplementing-a-number-of-articles-of-circular-no-40-2-417886-doc1.html) requires all e‑wallet providers to verify customers’ identity documents and biometric data before activating a wallet. Foreigners who cannot be physically present may complete verification through authorised third‑party channels. As of March 31 2025, Vietnam had licensed 47 e‑wallet providers, including MoMo, Viettel Money, ZaloPay, ShopeePay and VNPAY. The goal is to tie mobile [payments](https://www.corbado.com/passkeys-for-payment) tightly to the national [digital identity](https://www.corbado.com/blog/digital-identity-guide) infrastructure and eliminate anonymous [wallets](https://www.corbado.com/blog/digital-wallet-assurance). Circular 41/2025 also raises the monthly transaction limit for essential services (like electricity and water) to **300 million VND**, facilitating higher-value digital payments. ## 4. Why APAC requires adapted Strategies: Device and Browser Reality ### 4.1 Device Landscape in Vietnam Unlike Japan, where Windows desktops dominate professional environments, Vietnam’s [financial services](https://www.corbado.com/passkeys-for-banking) ecosystem is overwhelmingly mobile‑first. StatCounter data show that as of December 2025 [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) accounted for roughly [78% of the mobile operating system market](https://gs.statcounter.com/os-market-share/mobile/viet-nam) while [iOS](https://www.corbado.com/blog/webauthn-errors) held \~21 %. By vendor the top devices were Apple (42.71 % share), [Samsung](https://www.corbado.com/blog/samsung-passkeys) (21.99 %), Oppo (13.56 %) and Xiaomi (10.37 %) [data](https://gs.statcounter.com/vendor-market-share/mobile/viet-nam). This fragmentation means banks must support a wide range of [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) OEMs with varying biometric sensors and browser implementations. It also suggests that cross‑device flows - for example using a phone’s biometric sensor to unlock a passkey for desktop login - will be critical because many consumers still access banking websites via desktop browsers. ### 4.2 Browser Considerations Passkeys rely on WebAuthn and CTAP2 support in browsers. On [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android), Chrome and [Samsung](https://www.corbado.com/blog/samsung-passkeys) Internet now support passkeys, but OEM‑specific browsers may lag on API updates. [iOS](https://www.corbado.com/blog/webauthn-errors) Safari and Chrome offer built‑in iCloud passkey sync, but Apple’s market share is lower than in Japan. Local browser Cốc Cốc (\~4.4% share) also requires specific testing. Developers should test flows on older Android versions and less‑common browsers to ensure that [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) prompts appear correctly. They should also implement cross‑device mechanisms - such as QR‑code flows or Bluetooth proximity - to let users with only mobile passkeys sign into desktop sessions. ### 4.3 Back‑end and Network Policies Many Vietnamese enterprises operate in controlled networks with proxy servers and strict firewall rules. These policies can block FIDO metadata downloads or Google’s [passkey attestation](https://www.corbado.com/faq/why-some-platforms-do-not-support-attestation-for-passkeys) endpoints. Early deployments have run into issues where WebAuthn requests time out if metadata cannot be fetched. To mitigate this, banks should pre‑cache metadata or use offline [attestation](https://www.corbado.com/glossary/attestation) formats and ensure that their security policies allow outbound connections to FIDO infrastructure. ## 5. Implementation Considerations: The Failure Modes Real‑world deployments in Vietnam highlight several challenges. 1. **Customer onboarding bottlenecks (The "NFC Wall").** The requirement to read the chip-based ID card (CCCD) via NFC has proven to be the single biggest friction point. Users frequently fail to scan because of thick phone cases, dirty chips, or, uniquely, placing the card on **metal tables**, which causes NFC interference. "Lỗi quét CCCD" (CCCD scan error) became a top search term in mid-2024. 2. **The "10-Fail" Lockout Trap.** Banks like Vietcombank have introduced strict anti-fraud rules where **10 consecutive biometric failures** (e.g., FacePay errors) result in a feature lockout, requiring a branch visit to unlock. For users with aging phone sensors or poor lighting, this turns a "security feature" into a "denial of service." 3. **Legacy system limitations.** Foreign banks such as HSBC and UOB struggled because their core systems lacked integration with Vietnam’s biometric API. This resulted in incomplete coverage and temporary service disruptions. Banks should audit their authentication stacks and invest in modern identity platforms that support FIDO and biometric verification. 4. **Verification errors.** Early integrations with the national population database produced high rejection rates due to data mismatches. Banks that aligned their APIs with the [government's](https://www.corbado.com/passkeys-for-public-sector) QR‑code authentication service saw significant improvements in verification accuracy. This underscores the importance of meticulous data mapping and API testing. 5. **User experience and accessibility.** In the VinCSS user study, one in six users said that biometric scanning tools on banking apps were “not smooth”. Elderly customers overwhelmed service desks in late 2024 because they were unfamiliar with biometric technology. Products need fallback flows and clear instructions, and support for assistive technologies such as screen readers. 6. **Fragmented hardware.** Android devices vary widely in sensor quality and security chip availability. Some low‑end phones lack secure enclaves to store passkeys, forcing banks to fall back to server‑side biometrics or OTPs. Developers should implement device capability checks and provide alternatives such as [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g., VinCSS [FIDO2](https://www.corbado.com/glossary/fido2)® Touch 1) for users with incompatible devices. 7. **Foreigners systematically excluded.** Current facial recognition systems are trained predominantly on Vietnamese faces. Multiple Reddit threads document foreigners being told the "AI can't recognise" their faces, forcing them to rely on branch visits - or worse, losing access entirely when abroad. Banks serving international customers must implement fallback authentication paths. 8. **Deepfake vulnerability.** Server-side facial biometrics are now being bypassed by AI-generated deepfakes. Vietnamese police have already busted money laundering rings using fake face scans. This is the core argument for passkeys: even if a deepfake fools a facial recognition camera, it cannot forge a cryptographic signature bound to a specific device and domain. ## 6. Strategic Recommendations 1. **Adopt passkeys to complement biometrics.** Biometrics alone are not enough; they must unlock a cryptographic private key stored on the user’s device. Implement FIDO2 passkeys so that the biometric data never leaves the device and cannot be intercepted. Encourage users to upgrade from Smart OTP to passkeys by highlighting reduced friction and phishing resistance. 2. **Integrate with the national ID infrastructure.** Align your banking APIs with the [government](https://www.corbado.com/passkeys-for-public-sector)’s QR‑code authentication service to reduce verification errors. Ensure that your system can read chip‑based IDs via NFC and validate VNeID Level 2 credentials. Pre‑cache [attestation](https://www.corbado.com/glossary/attestation) metadata to operate in restricted network environments. 3. **Educate customers.** Communicate the differences between biometric verification and passkey unlocking. Provide clear instructions for updating chip‑based IDs, registering biometrics and adding passkeys. Proactively warn users about scams that [exploit](https://www.corbado.com/glossary/exploit) the biometric update process. 4. **Offer hardware alternatives.** Not all devices support on‑device passkeys. Support external [authenticators](https://www.corbado.com/glossary/authenticator) such as security keys. The VinCSS FIDO2® Touch 1, for example, lets users authenticate with a simple touch and eliminates the need for SMS OTPs. 5. **Plan for multi‑device and cross‑platform flows.** Provide QR‑code or Bluetooth‑based cross‑device sign‑in so that users can authenticate on a desktop using a passkey stored on their phone. Test your flows across different Android OEMs and browsers. 6. **Monitor performance and iterate.** Track metrics such as authentication success rates, fraud rates and customer support load. Early adopters like Vietcombank have demonstrated that biometric adoption can reduce fraud and increase customer trust. Use these insights to refine your roll‑out strategy. ## 7. How Corbado can help you Corbado's adoption platform helps banks and fintechs deploy passkeys quickly and comply with Vietnam's new regulations. Our platform offers: - **Turn‑key passkey infrastructure.** Easily add FIDO2/WebAuthn support to your existing apps with SDKs for web and mobile. Our servers handle [attestation](https://www.corbado.com/glossary/attestation), device binding and key management, even in restricted network environments. - **Cross‑device UX components.** Pre‑built components provide QR‑code and Bluetooth flows that let users sign in on desktops with a phone‑based passkey. We support Android, [iOS](https://www.corbado.com/blog/webauthn-errors) and all major browsers. - **Regulatory alignment.** Our team monitors local regulations and can help integrate with national ID systems to meet SBV requirements under Decision 2345 and Circular 50. - **24/7 support and on‑site assistance.** As with our Japan customers, Corbado provides hands‑on support during rollout to resolve edge cases and ensure a smooth [migration to passkeys](https://www.corbado.com/blog/user-transition-passkeys-expert-strategies). ## Frequently Asked Questions ### Why are foreigners being locked out of Vietnamese banking apps after the SBV biometric mandate? Facial recognition systems in Vietnamese banking apps are trained predominantly on Vietnamese faces, with users reporting the AI 'can't recognise the faces of foreigners.' Foreigners abroad face the choice of flying back to Vietnam or losing account access entirely, and e-wallets including MoMo have effectively stopped working for foreign customers following the biometric rules. ### Can AI deepfakes bypass Vietnam's new biometric banking verification, and how do passkeys address this? In May 2025, Vietnamese authorities busted a money laundering ring using deepfake face scans to bypass biometric verification, demonstrating that server-side facial recognition alone is insufficient. FIDO passkeys address this by cryptographically binding authentication to a specific device and domain, making deepfake attacks irrelevant even if facial recognition is fooled. ### What NFC chip ID scanning failures should banks prepare for during Vietnamese biometric onboarding? NFC interference from phone cases, dirty chips and metal surfaces caused 'CCCD scan error' (chip ID scan error) to become a top search term in mid-2024 during Vietnam's biometric rollout. Banks should provide clear scanning instructions and maintain branch-based fallback verification for customers who cannot complete NFC enrollment. ### What device and browser fragmentation challenges exist for passkey deployment in Vietnam? Android accounts for roughly 78% of Vietnam's mobile OS market across vendors including Samsung, Oppo and Xiaomi, creating wide variation in biometric sensor quality and browser API support. Local browser Cốc Cốc holds approximately 4.4% market share and requires specific testing, while low-end Android devices may lack the secure enclaves needed for on-device passkey storage. ### How should banks handle customers whose Android devices cannot support on-device passkey storage? Some low-end Android phones lack secure enclaves to store passkeys, requiring banks to fall back to server-side biometrics or OTPs for those users. Banks should implement device capability checks at enrollment and offer hardware security key alternatives such as the VinCSS FIDO2 Touch 1, which enables passwordless authentication with a single touch.