Two-factor authentication is Bank of Asia's primary defence against unauthorised access. Here's exactly how it works and why you should never share your codes.
Two-factor authentication (2FA) requires two independent proofs of identity before granting access to your account: something you know (your password) and something you have (your registered device or authenticator app). Even if an attacker obtains your password — through phishing, data breaches, or credential stuffing — they cannot access your account without also controlling your second factor.
Bank of Asia Online supports three forms of 2FA: SMS one-time codes (OTP), authenticator app TOTP codes (Google Authenticator, Authy, or any RFC 6238-compliant app), and biometric verification via our mobile app. We strongly recommend authenticator app codes over SMS, as SMS is vulnerable to SIM-swapping attacks in which a criminal convinces your carrier to transfer your number to a new SIM they control.
Our 2FA implementation uses time-based one-time passwords (TOTP) that are valid for 30 seconds and are cryptographically linked to your enrolled device. Each code is single-use: once it is accepted, it is immediately invalidated. Our systems also implement rate limiting and progressive lockout — after three consecutive failed 2FA attempts, your account is temporarily locked and you are notified by email.
One of the most common 2FA bypass techniques is social engineering: a criminal calls you pretending to be bank staff and asks you to read out your code 'for verification purposes'. Bank of Asia Online staff will NEVER ask for your 2FA code, your password, or your PIN. If someone calls claiming to be from us and asks for these details, hang up immediately and call our official number: +65 6123 4567.
If you lose access to your 2FA device, we have a secure account recovery process that involves identity verification via government-issued ID and a mandatory 24-hour security hold before access is restored. This delay is intentional: it gives you time to detect and report any unauthorised recovery attempts.
We review our authentication architecture quarterly against NIST 800-63B guidance and update our implementation as new attack patterns emerge. Security is not a feature we ship once — it is a practice we maintain continuously.