MPChat v1.5.0 retires the legacy 6-digit payment password and replaces every sensitive verification with a Passkey. This article explains why the change is mandatory, what stays the same, what onboarding looks like for accounts that existed before v1.5.0, and the timeline for older app versions still on the legacy password.
What changes in MPChat v1.5.0 — and why
MPChat v1.5.0 is the largest account-security upgrade since launch. The TL;DR: the 6-digit payment password is gone, replaced by a Passkey for every sensitive flow. The reasons:
Hardware-backed verification. Passkeys are stored on the phone's secure enclave; even MPChat's servers never see the credential.
Phishing resistance. Passkeys are bound to
mp.net; impersonator sites cannot trigger them.No password to leak. Nothing to type, screenshot, or reuse on another site.
Industry alignment. Apple, Google, banks, exchanges, and most regulated fintechs are moving to Passkeys; v1.5.0 brings MPChat onto the same standard.
For an explainer, see Passkey overview.
What is mandatory after upgrading
You must add a Passkey to use the wallet. The first time you tap the wallet tab after upgrading, MPChat shows the Passkey explainer; without a Passkey, wallet is locked. (See first-time Passkey setup.)
Withdrawals, transfers, red packets, internal moves, card actions all require Passkey. The first time you trigger any of these without a Passkey, MPChat shows the upgrade banner: "For stronger fund-security protection, the account system has been fully upgraded. After the upgrade, withdrawals, transfers, red packets, card applications and other important operations require Passkey verification." Tap Add Passkey to continue.
Login by Passkey is optional but recommended. You can still sign in with phone / email + verification code; Passkey is the faster path.
What stays the same
Existing balances, transaction history, KYC, and friends are untouched. v1.5.0 changes verification, not data.
2FA still works. SMS / email / Google Authenticator continue as your second factor for withdrawals.
Existing cards keep working. Card numbers, balances, subscriptions are not affected. The only change is that future view-PAN / freeze / etc. actions now use Passkey instead of the legacy payment password.
If you keep using an older app version
Older client versions still let users verify with the legacy 6-digit password until those users update. Once you update to v1.5.0 and add a Passkey, the legacy password is permanently retired for that account — there is no opt-out and no "use password instead" toggle. We strongly recommend updating to keep receiving security patches.
Onboarding sheet wording for legacy accounts
The first sensitive action after upgrade triggers a one-time blocking sheet. The exact copy:
For stronger fund-security protection, the account system has been fully upgraded. After the upgrade, withdrawals, transfers, red packets, card applications and other important operations require Passkey verification.
Tapping Add Passkey jumps to the Passkey explainer page; on success, MPChat returns to the original action and toasts "Added successfully".
What if I cannot add a Passkey on my phone
If your device cannot meet the iOS 16 / Android 14 floor, you cannot complete the upgrade flow on that phone — MPChat blocks Passkey creation with a clear dialog. You can either upgrade your OS, use a phone that meets the floor, or contact support for guidance. (Login on the older device still works for read-only purposes; sensitive actions require Passkey.)
What about my old payment password — can I get it back?
No. Once you add a Passkey on v1.5.0, the legacy password is retired and there is no recovery flow for it. If you ever lose Passkey access, the recovery path is Reset Passkey via face liveness, not a password reset.
Future plans
Account-level 2FA (currently SMS / email / Google Authenticator) will gain Passkey as a fourth factor option, so users who prefer to keep 2FA can use a single Passkey across both account-level and operation-level verification.
Related articles