The OTP era in Thai banking is quietly ending, and most boards have not noticed FIDO-grade Passkey

A short ride from Suvarnabhumi airport, paid for by an AI agent and authenticated by a FIDO-grade passkey, is more interesting than the headlines made it sound.

Author: Sarah Huang, Managing Partner at H&F Advisers It's the pilot that mattered, and why the headlines missed it, in late April, Mastercard and Krungthai Card put out a press release that, on the face of it, read like a novelty item. An AI agent had booked a car from Suvarnabhumi to Central Chidlom through a mobility partner called Elife, and the payment had gone through end to end without a human pressing a button at checkout. The release called it Thailand's first authenticated agentic transaction, and most regional coverage filed it under "AI does something" and moved on. (Mastercard Newsroom)

The agent-booked-a-ride story is fine. It is also not the story.

The story, if you read the release carefully, is in two clauses near the bottom: the transaction used tokenised credentials authenticated with Mastercard Payment Passkeys, and consumer consent was captured and the purchase confirmed via those same passkeys. (The Paypers) That is the structural fact. The novelty of an AI agent buying a ride is, in the literal sense, a side effect of a deeper change in how banks in Thailand are about to authenticate every digital transaction their customers make. The OTP era is ending. The FIDO era is starting. From where we sit at H&F, very few Thai bank boards have fully reckoned with what that means.

This piece is about three things. What FIDO actually is and why it matters for a bank. What is happening in Thailand specifically, set against the wider regional picture. And what banks in Bangkok will need to do operationally, in their organisation and their technology, to actually live in the world that the Bank of Thailand, Mastercard, and most of the rest of Asia are nudging them toward.

A short explainer, because we still keep being asked

FIDO, for the people who have been busy with other problems, stands for Fast Identity Online. It is an industry alliance launched in 2012 whose specifications, principally FIDO2 and the W3C's Web Authentication API, underpin what most consumers now know as passkeys. Mastercard has been a member since the alliance existed, alongside the obvious cast of Google, Apple, Microsoft, Visa, and a long list of banks. (Corbado on Mastercard Passkeys)

The mechanics are less complicated than the acronyms make them sound. A traditional password is a shared secret. The customer knows it, the bank stores some version of it, and any attacker who steals the bank's password store or tricks the customer into typing it on a fake site walks away with everything they need to log in. An OTP delivered by SMS is the same problem one layer up. The secret is generated freshly each time, but it still travels across an insecure channel to a customer who can be persuaded to read it out to a scammer. FIDO replaces the shared secret with a public-private key pair. The customer's device generates a private key that never leaves it, and the bank stores only the corresponding public key. To log in, the bank sends a challenge, the device signs that challenge with the private key, and the bank verifies the signature against the public key. (IBM on FIDO2)

Three properties follow from this design, and all three matter from a banking risk angle. First, the cryptography is origin-bound. The device will only sign challenges that come from a domain it was registered with, which is why FIDO is recognised by CISA as phishing-resistant multi-factor authentication and now sits inside NIST's updated digital identity guidelines as a recommended method. (FIDO Alliance) Second, there is no shared secret to steal. A breach of the bank's authentication store yields public keys, and public keys are not useful to an attacker on their own. Third, the user's biometric or PIN never leaves their device. T

The translation for a CIO is straightforward. FIDO moves the trust anchor from a password store on the bank's side to a key pair on the customer's device. That sounds technical and is, but it is also an organisational change. A bank that takes FIDO seriously is, over time, taking apart its SMS authentication budget, its OTP gateway contracts, parts of its call-centre password-reset queue, and a good slice of its fraud operations playbook, and it is replacing all of it with device-bound credentials and a different shape of identity team.

The wider numbers tell you how far this has run. The FIDO Alliance's State of Passkeys 2026 report puts five billion passkeys now in active use globally, 90 percent consumer awareness, 75 percent of consumers having enabled a passkey on at least one account, and 49 percent using passkeys regularly when they are available. (FIDO State of Passkeys 2026) Among the organisations the report tracks, fintech and banking lead industry-wide adoption at roughly 60 percent of eligible users actively signing in with a passkey in the last 30 days. (Help Net Security on passkey adoption 2025) JPMorgan Chase reported a 94 percent reduction in account takeovers during its passkey beta. That is the kind of number that ends authentication debates in a CISO's office.

Why the Bank of Thailand is pushing in this direction, even if it has not said FIDO out loud

The Bank of Thailand has been pushing Thai banks toward stronger authentication for some time, with increasing urgency. In March 2025 the central bank's notification on security measures for financial services on mobile devices came into force, prohibiting links inside SMS and email, restricting one mobile device per user for mobile banking access, and requiring additional identity verification for transactions over 50,000 baht per instance or 200,000 baht per day. (Lexology on BOT mobile banking rules) A second tranche of measures specifically on mobile banking security followed in April 2025. (Bangkok Global Law on BOT notification) The notification does not say "use FIDO." It does not have to. The combined effect of the restrictions is to constrain SMS-based authentication and to make app-based, device-bound verification the path of least resistance.

The push has numbers behind it. I will point out, that an explicit push by the Bank of Thailand, mentioning FIDO-grade authentication, hasn't been published as of today, in comparison to (BSP 1213 Circular by Banko Ng Sentral Phillippines) where it is explicitly part of the mandate.

(Nation Thailand on 98 billion baht losses) Roughly three million accounts have been frozen as part of the central bank's anti-mule campaign, and over 2.8 million mule accounts have been dealt with under the wider crackdown. (BioCatch on Thai mule accounts) The so-called money-sucking apps wave, peaking at 7,444 cases in 2023, was effectively eliminated by early 2025. SMS OTP-based flows, by contrast, are still very much present in the underlying authentication mix, and they remain the principal entry point through which social-engineering attacks succeed.

This is the setup against which the KTC and Mastercard pilot lands. Not as an AI demo, but as the first regulated, mainstream-issuer use of Mastercard Payment Passkeys in Thailand. (Financial IT) The same passkey infrastructure that authenticates an agent buying a taxi can authenticate a human buying anything else. Every Thai issuer that is paying attention has now seen one of their peers go first, and the cover story has been provided. Krungthai's wider posture matters here too. Payong Srivanich, the bank's chief executive, has set out a strategy built around a "carrier and speedboat" model with over USD 600 million invested into fintech innovation, and the Pao Tang superapp now sits at roughly 40 million users. (The Asian Banker on KTB digital strategy) KTB has been quietly building authentication primitives that look an awful lot like the building blocks of a passkey roadmap: QR-based session authentication, a verified-identity layer in Paotang Pass, and a developer programme that exposes those primitives to partners. (Krungthai developer authentication docs)

What this actually means inside a Thai bank

From inside a bank, the FIDO transition is not a single project. It is a redesign that touches four functions at once: identity and authentication, fraud and security operations, customer experience and journey design, and procurement. The mistake we see most often when we sit with Thai bank executives is to scope this as a security project, owned by the CISO, with a line item for an authentication platform. It is not that. It is a customer-experience redesign that has been forced by a security problem, and the org chart needs to reflect that. The banks that we see making real progress have a named owner who sits across security, customer-facing digital, and risk, with explicit air-cover from the COO or the CEO. A Regional look at what's happening on the regulatory side, from FIDO Alliance

Region: Thailand

The identity and authentication function

The most obvious change is on the inside. A bank running FIDO at scale needs an authentication platform that supports the FIDO2 and WebAuthn standards, an attestation policy that decides which kinds of authenticators it will accept, a key-management story for the public keys, and integration with the card networks' tokenisation and 3-D Secure flows. (EMVCo on 3-D Secure) Mastercard's Payment Passkey Service, which is what KTC used, sits at exactly this junction. It binds the customer's device-resident passkey to the tokenised payment credential and signals successful authentication to the issuer through EMV 3-D Secure version 2.3. (Corbado on EMV 3DS and Passkeys) For the issuer, the practical question is not whether to support passkeys but how quickly the bank can retire the parts of its authentication stack that no longer add value: SMS OTP gateways, KBA challenge-response screens, and step-up flows built on dated risk engines.

There is a procurement story underneath the technology story. SMS authentication budgets at large Thai issuers are non-trivial, and the average cost-per-incident for an account takeover sits between roughly USD 200 and USD 4,500 depending on segment. (Help Net Security on passkey adoption 2025) The business case for moving off SMS OTP is, in our work with regional FIs, the easiest authentication business case to make. The harder business case is the one for retiring the legacy authentication systems that the SMS gateway is propping up, because that requires honesty about technical debt that has been deferred for a decade.

Fraud and security operations

FIDO does not eliminate fraud. It changes its shape. Authentication-time phishing collapses, but social engineering migrates further upstream into account opening, device enrolment, and authoriser changes. That has consequences for how a fraud function is organised. The team that used to chase down account takeovers triggered by intercepted OTPs needs to be rebalanced toward enrolment integrity, device-change monitoring, and behavioural analytics that look across sessions rather than within a single OTP screen. The control loop that used to live in the OTP step has to be redistributed across the customer journey. We have seen this go well at two regional issuers and badly at one, and the difference was straightforward: the issuers that succeeded restructured the fraud team before they rolled out passkeys, not after.

The wider point on fraud is that FIDO is not, by itself, a complete answer. The FIDO State of Passkeys report makes this point quite bluntly: even among organisations that have deployed passkeys, 57 percent still rely on phishable authentication methods for primary day-to-day sign-in. (BusinessWire on FIDO 2026 report) That is the gap between deploying passkeys and depending on passkeys, and closing it is the operational work. Layering an unrotated SMS fallback under a shiny passkey login is a common antipattern. The attacker simply chooses the cheaper path.

Customer experience and journey design

The customer-facing case for passkeys is the part that gets least attention inside banks, and it is the part that quietly funds the programme. Friction at checkout has measurable revenue consequences. Roughly 28 percent of online shoppers have admitted to abandoning orders because the checkout was too long or complicated, and 17 percent have abandoned because of payment-data trust concerns. Mastercard's own data, gathered as it rolled passkey authentication into European checkout, has put adoption at close to 50 percent of e-commerce transactions on the rails it supports. (FIDO Alliance on Mastercard Europe 50%) On Mastercard Payment Passkey integrations more generally, cart-abandonment improvements of 30 to 70 percent and authorisation-rate improvements of 3 to 5 percentage points are the numbers we see vendors quoting and clients verifying. (Mastercard Payment Passkey Service India launch)

For a Thai issuer, the customer journey question is sharper than it would be in Europe because Thai customers are already in the habit of authorising large amounts inside the mobile banking app, with PromptPay rails carrying the volume. The right design question is not whether to introduce passkeys into checkout but how to use device-bound credentials to remove friction from the existing flows that customers already trust, while quietly retiring the SMS fallbacks behind them. Done well, the customer experience improves visibly. Done badly, it produces a confusing parallel-track login that customers find harder than what they had before.

Procurement, vendors and the build-versus-buy call

Procurement for an authentication programme is unusually political because it cuts across cards, retail, and digital. A bank can buy passkey infrastructure from a network like Mastercard or Visa, from a specialist identity vendor like Ideem or Authsignal, from a payment-processing partner like FIS, or it can build directly on the FIDO2 and WebAuthn standards using cloud and authenticator-platform primitives. (Ideem on Next Gen Authentication)

The right answer depends on the bank. For card-issuing flows, the network-led path is often the fastest route to a working production system and to EMV 3-D Secure conformance. For retail and SME mobile banking, a specialist platform with a strong WebAuthn relying-party implementation will tend to be more flexible. For the largest issuers with sophisticated engineering teams, building parts in-house is defensible and sometimes preferable. The mistake we have seen most often in the region is to outsource too much of the relying-party logic, and then to find that the bank cannot easily change attestation policy when the regulator's posture shifts. Authentication is a domain where banks want to keep ownership of the policy layer, even if they buy the cryptographic plumbing.

The regional picture: Thailand is not first, and the comparison matters

Three reference points are worth holding in mind. Singapore, India, and the United Arab Emirates have each moved on authentication ahead of Thailand, and each by a different mechanism. The Monetary Authority of Singapore has coordinated DBS, OCBC, and UOB toward passwordless and digital-token-based authentication, which has the welcome effect of preventing any single bank from bearing competitive disadvantage during the transition. (Daon on passwordless banking) UOB moved its mobile-wallet authentication onto digital tokens through the UOB TMRW app from 1 July 2025, with SMS OTP progressively removed. (UOB Digital Token Authentication) The FIDO Alliance's own May 2026 update calls passkey adoption in Singapore "mainstream." (FIDO on Singapore mainstream passkeys)

The Reserve Bank of India has announced new authentication rules effective April 2026, signalling a clear move away from OTP-based authentication for digital payments. That is regulatory in form but industrial in effect: every major Indian issuer is now in some stage of a passkey rollout, often building on the rails that Mastercard's August 2024 launch of its Payment Passkey Service in India seeded. (Mastercard Payment Passkey Service India launch) The UAE Central Bank has gone further still, requiring all licensed financial institutions to eliminate SMS and email OTPs by March 2026, with Emirates NBD, ADIB, and FAB already migrating to app-based authentication with biometrics and passkeys. (Authsignal on global OTP regulation)

Against that backdrop, Thailand's posture is recognisably similar in direction but earlier in execution. The BOT regulation is constraining the worst SMS practices without yet mandating their disappearance, and the market is moving in advance of any explicit mandate. Krungthai's pilot with Mastercard is the most visible sign so far that the issuer side has decided to lead rather than wait, and we expect the other Tier-1 banks to be in some form of passkey procurement by the end of 2026 even if they have not announced it. The wider passwordless authentication market is growing at roughly 18 percent compound annually, from USD 24 billion in 2025 toward USD 56 billion by 2030, and a meaningful slice of that spend will sit on Thai banks' authentication and identity stacks over the next three years. (MobileIDWorld on Mastercard Passkeys)

The agentic angle: why the AI ride from Suvarnabhumi was the first proof of a much bigger architecture

Return to the original pilot. The reason the agent-booked-a-taxi story is genuinely significant, even if it was over-headlined, is that agentic commerce does not work without a working authentication layer that is acceptable to issuers, networks, and regulators. The networks have not been shy about this. Mastercard and Visa have spent the last six months stitching together "Know Your Agent" capabilities, and FIS launched an industry-first agentic transaction platform for issuing banks in early 2026 that is designed to do exactly the identification and authorisation work that AI-initiated transactions require. (FIS press release on agentic commerce) (PYMNTS on payment networks and agentic commerce)

'Without FIDO-grade authentication and tokenisation underneath, agentic commerce cannot function as anything other than a demo.'

The whole point of an AI agent transacting on a customer's behalf is that the consent capture has to be auditable, the credential has to be revocable, and the authentication has to be both phishing-resistant and cryptographically attributable to a specific human at a specific moment. (Forrester on agentic payments) That is exactly what Mastercard Payment Passkeys plus EMV 3-D Secure tokenisation are designed to do. The reason KTC's pilot mattered is that it is the first time the full stack was demonstrated end-to-end inside a Thai issuer context. Everything else that gets called agentic commerce in Thailand over the next two years will sit on top of that primitive, whether the headlines say so or not.

What I would tell a Thai bank CTO this quarter

If you are running technology at a Thai Tier-1 or Tier-2 today, here is the set of moves we would talk through if you walked into our office in Sathorn this week. None of these are exotic. They are the moves that the next 24 months reward.

Our Recommended Execution Steps

References