If you still have your physical device but want to replace it with the digital version (so you don't have to carry a gadget), you can usually do this instantly via the app.
If you have lost your Secure Key or had it stolen, do not wait to report it. Even though a thief needs your PIN or Password to use the key, it is a vulnerability.
The HSBC Secure Key was fit for the 2010s but is no longer sustainable or secure enough for the 2020s threat landscape. Project Nexus – a FIDO2-first, biometric-authenticator app with an adaptive risk engine and a battery-free emergency card – delivers superior security, lower cost, and a frictionless user experience. By eliminating shared secrets and physical logistics, HSBC can save over £160 million in five years while reducing its carbon footprint and protecting customers from modern phishing attacks. The time to replace the Secure Key is now.
Appendix A: Glossary
Appendix B: Mock User Dialog – Support Script
Customer: “My Secure Key battery died. Send me a new one.” Agent: “We’ve actually upgraded to a more secure and convenient method. May I send a one-time enrollment link to your verified mobile number? You’ll use your phone’s face or fingerprint – no more physical device to lose.” hsbc replacement secure key exclusive
End of Paper
The HSBC Secure Key is a two-factor authentication (2FA) tool designed to provide an extra layer of security for your online banking. While many users are being transitioned to the Digital Secure Key via the mobile app, physical devices are still supported for those with incompatible hardware or specific accessibility needs. Understanding Your Replacement Options
If your physical Secure Key is lost, stolen, damaged, or showing a low battery warning, you generally have two paths for replacement:
Upgrade to Digital Secure Key: HSBC strongly recommends switching to the digital version integrated into the HSBC Mobile Banking app. This is free, faster, and eliminates the need to carry a separate physical device.
Order a New Physical Device: If you cannot use the app, you can request a replacement physical device. Be aware that once you activate a Digital Secure Key, any existing physical device is typically deactivated and cannot be used again. Identifying Low Battery Warnings If you still have your physical device but
Physical Secure Keys are sealed units; the batteries are not user-replaceable. The device will notify you when the battery is dying with specific codes: bAtt 2: Approximately 2 months of life remaining. bAtt 1: Approximately 1 month of life remaining. bAtt 0: Immediate replacement is required. How to Request a Replacement
The process varies slightly depending on your region and whether you still have access to your old device: Secure Key FAQs | Ways to Bank - HSBC Expat
Replacing Your HSBC Secure Key If your physical HSBC Secure Key has been lost, stolen, or the battery has run out, you have two primary options: switching to a Digital Secure Key requesting a replacement physical device
. HSBC has phased out physical devices in many regions in favor of the more secure and convenient digital version. HSBC India Option 1: Switch to a Digital Secure Key Digital Secure Key
is a feature within the HSBC mobile banking app. It replaces the physical device by generating security codes directly on your smartphone. HSBC India How to Set Up: Download the HSBC mobile banking app for your region from the Apple App Store Google Play Open the app and log in using your existing username. Follow the prompts to Activate Digital Secure Key The HSBC Secure Key was fit for the
Verify your identity using an activation code sent to your registered mobile number or by using your existing physical device if it still works.
You no longer need to carry a separate device, it uses biometric authentication (Face ID or fingerprint), and it is considered more secure than physical tokens. HSBC India Option 2: Request a Replacement Physical Device
If you cannot use the digital app or prefer a physical token, you can order a replacement. Note that some regions may only offer these for customers with specific accessibility needs. Secure Key FAQs | Ways to Bank - HSBC Expat
| Threat | Legacy Secure Key | Project Nexus Solution | |--------|------------------|------------------------| | Man-in-the-middle phishing | Vulnerable (OTP captured) | FIDO2 origin binding: browser verifies domain | | SIM swap attack | High risk (SMS fallback) | No SMS fallback; device-bound key can’t be migrated | | Malware on PC | OTP visible on screen | Private key never leaves secure enclave; biometric required | | Lost device | Attacker knows PIN? Could generate OTP | Remote wipe via HSBC portal + separate recovery phrase (BIP39-like) |
Recovery protocol: User receives a 12-word recovery code upon enrollment. This is stored encrypted in their password manager or safe. To enroll a new device, they enter recovery code + identity document scan + liveness check.
