MAS embraces return of hardware tokens to halt surging digital scams

The Monetary Authority of Singapore (MAS) is spearheading a significant regulatory shift in digital banking security, collaborating with financial institutions to issue FIDO-compliant physical devices for online authentication. This move signals a return to a physical token solution last prevalent in the early 2000s, which was subsequently replaced by digital tokens embedded in mobile applications starting in 2017. The primary impetus for this reversion is the surge in digital scams, with reported losses escalating dramatically from approximately SGD 7.3 million in the first half of 2023 to around SGD 30 million during the same period in 2025. This rapid rise in financial crime has severely eroded public confidence in the digital banking ecosystem.

At the core of this initiative is the Fast Identity Online (FIDO) standard. This technology fundamentally enhances security by replacing traditional passwords and one-time codes with cryptographic keys stored separately on the physical token and the bank’s system. This mechanism is inherently phishing-resistant, as a criminal would require physical possession of the device itself to successfully gain unauthorized access. The FIDO token, therefore, provides a robust defense against remote attacks that currently plague mobile banking.

However, this commitment to elevated security comes with a significant user experience (UX) cost. MAS has explicitly acknowledged the need to “prioritize security over convenience,” meaning customers will inevitably face the inconvenience of having to obtain, set up, and carry a separate physical device to access their accounts. This friction is particularly relevant for elderly or less tech-savvy users who may struggle with the new setup and device management processes, potentially increasing the burden on customer support channels.

The practical implications for banks and the overall financial technology ecosystem remain opaque and pose significant challenges. Crucial questions surround the logistics and financial burden, including who will bear the considerable cost of manufacturing, distributing, and maintaining potentially millions of hardware tokens across the country. Furthermore, the introduction of these devices is expected to cause a surge in customer support requests related to usage, setup, and troubleshooting, demanding a substantial operational adjustment from financial institutions.

While the specific directives from MAS are pending, this initiative is clearly an implied requirement for financial institutions. This interpretation is reinforced by the concurrent implementation of the Shared Responsibility Framework (SRF). The SRF holds banks accountable for financial losses stemming from scams when they fail to meet their security obligations, effectively compelling them to adopt the strongest available anti-scam measures like FIDO tokens to mitigate their risk and liability. Although it is not yet clear if all customers will be formally mandated to use the physical tokens for all authentication, the trajectory suggests their use for high-value or high-risk transactions is imminent.

Regardless of the operational and logistical hurdles, MAS’s decision signifies a resolute commitment to combating online financial crime. By embarking on this path, Singapore is establishing itself as one of the first countries to commit to such a high-security, nationwide hardware solution for retail banking, setting a profound potential precedent for other global financial hubs looking to restore trust in their digital systems.