Passkeys + 2FA for SA banking and wallets

🔴 You might also like to read:

Smart shopper’s playbook - accumulate discounts, shipping, and returns easy-peasy

Your grocery till slip, your bank card, and your delivery driver all owe you money. Here’s how to collect.

Flip the MarketLiz Thorne

Bitcoin price plummets to below $70k: What happened?

Bitcoin slipped under $70k, and the timeline went feral. Here’s what mattered, what was hype, and why the drop looked like a trapdoor, not a gentle dip.

Flip the MarketLiz Thorne

South African fraud has a signature move: scammers rush you, and then they harvest whatever you tap. The pattern spikes when everyone is distracted, which is why seasonal scam pressure and “urgent verification” bait keep showing up in local banking stories.

Crypto brings a second layer of chaos: one wrong approval, one fake support DM, one dodgy link, and your funds take the scenic route to someone else’s wallet. The difference between “annoying” and “catastrophic” is frequently who controls your keys and withdrawal access.

What a passkey is (and what it isn’t)

Passkeys are password replacements. They use cryptographic key pairs (one public, and one private). The public key is with the service, while the private key never leaves your device, which means that there'ss nothing reusable for a phishing site to steal.

Passkeys are built to resist phishing. A passkey is tied to the website or app you registered with, which means that a lookalike login page cannot “borrow” it.

Passkeys are not “your fingerprint stored on a server”. Your fingerprint or face scan is used to unlock the passkey on your device. Biometric data remains on the device, not on the website.

Passkeys already lean on more than one factor. You need the device, then you unlock it with Face ID, fingerprint, or your screen PIN. Google and Apple describe passkeys this way in their own guidance.

Why passwords and SMS OTPs are a weak combo in South Africa

South African criminals do not need movie-hacker skills when social engineering works faster. SABRIC’s reporting has been blunt for years: digital banking crime is driven heavily by phishing, vishing, SIM-swap support acts, and people being pushed into approving things under pressure.

Passwords fail in boring ways: reused passwords, leaked passwords, “reset my password” routed to a hijacked inbox, or a rushed login on a fake page. SMS OTPs fail in predictable ways: SIM swap, call-centre manipulation, and “read me the code so we can reverse fraud” scripts. When those two are combined, you don'thave two layers; you have one weak chain with two weak links.

2FA is still worth it, but SMS is the wobbly version. Banking warnings in SA repeat the same rule because it still works on people: nobody legitimate needs your OTP or your “approve” tap to “reverse fraud”.

Passkeys plus 2FA, what “better security” looks like in normal life

Banks and wallet providers use security in different ways, but the principle is the same: use a phishing-resistant login, then use step-up checks for high-risk actions.

Login layer (stop credential theft)

• Passkey as the default sign-in where it exists (Google account, Apple ID logins, many mainstream apps and services).
• If passkeys are not available, use a password manager-generated password that is long and unique.

Step-up layer (stop takeover damage)

• In-app approvals for payments, device binding, and transaction signing (common in SA banking apps).
• Authenticator-app codes (TOTP) for exchanges and wallet-related accounts (stronger than SMS because it is not routed through your SIM).
• Hardware security keys for high-value accounts, if you can do it (less convenient, more protection).

Reality check for SA banking apps
Passkeys are mainstream in the Google, Apple, and Microsoft ecosystems, but South African banks are still in transition. Public comments from local bank security teams suggest “watching the space” rather than broad consumer rollouts.

Many banks already rely on device-based approvals and extra controls instead of passkeys, which is why you see tools like FNB’s token approach and app-linked confirmations in the market. FNB also allows you to add virtual cards, where the CVV changes every few minutes to avoid fraudulent transactions.

Banking apps vs crypto wallets, where this matters most

Banking: the enemy is impersonation: Most bank theft starts with someone pretending to be your bank, courier, network, or “fraud department”. The fix is less about becoming a security nerd and more about refusing the script.

Bold rule (treat as law): Verify on a channel you choose. End the call, use the bank’s official number, open the app yourself, and log in your own way.

Crypto: the enemy is approvals and recovery
A crypto wallet is not a bank account. There is no “forgot my password” desk for a seed phrase. The security job splits into two parts:

1) Protect access to the wallet and seed phrase

• Never store a seed phrase as a screenshot or in cloud notes.
• Treat “support” DMs as hostile by default.
• Prefer writing it down on paper and storing it privately, or use a dedicated hardware wallet once balances justify it.

2) Protect what you sign

• Many drains start with “sign”, not “send”.
• Read the action, then reject anything vague, rushed, or framed as “verification”.

A five-minute checklist for South Africans who bank on their phone

Phone first

• Use a strong screen PIN (not a birthday, and definitely not 1234).
• Turn on biometrics and switch on “require device unlock” for sensitive apps where your phone supports it.
• Set a SIM PIN. It will not stop every SIM swap scenario, but it removes the “pick up the phone and do what you want” risk.

Email next (because password resets are done this way)

• Put a passkey on your Google account where possible.
• Add a second factor that is not SMS.

Banking app settings

• Turn on every alert you can tolerate (logins, new device registration, payments).
• Lower limits you do not need.
• Treat “approve” prompts you did not start as a red alert.

Exchanges and wallet-related accounts

• Use an authenticator app for 2FA, not SMS, wherever the option exists.
• Store backup codes somewhere offline.
• Lock withdrawals behind extra checks where the platform gives you the option.

Your brain (still the most attacked surface)

• Pause for at least 60 seconds when there's a sense of urgency. SABRIC’s consumer guidance is repetitive because criminals are repetitive.
• Refuse “move to WhatsApp” escalations from strangers.
• Refuse screen-sharing or remote access requests from “support”.

Security is not a single setting. It is a stack: device lock, secure email, phishing-resistant sign-in, then step-up checks for the money-moving parts. Fix the stack, and scam scripts start bouncing off you instead of landing.

🔴 You might also like to read:

SA Back in global investors’ good books, so what now?

Global investors are warming to South Africa again, but the comeback is still under review. The smart money is already choosing where to park before the next headline drops.

Flip the MarketLiz Thorne