Enhanced SingPass with added security goes live July 5

By Benjamin Cher July 3, 2015

2FA to be deployed for over 3.3 million users of e-govt services
Users given one-year grace period to activate to new login procedures

Enhanced SingPass with added security goes live July 5

[This article has been amended]

ENHANCEMENTS to SingPass, Singapore’s single sign-on for users to access e-government services, are slated to go live on July 5, according to the Infocomm Development Authority of Singapore (IDA).

Key enhancements, intended to improve usability and security, include the introduction of two-factor authentication (2FA). Users can choose either SMS or a OneKey token as their second factor.

From July 5 onwards, SingPass users logging in will be required to update their profile information to provide their mobile number and preferred method of notification, either via SMS or email, IDA executives told a media briefing on July 2.

From 11pm July 4 to 10am July 5, the SingPass system will be unavailable to implement the enhancements. All government e-services using SingPass will be unavailable during that period. [See infographic at the end of this article]

Activating 2FA will require users to link either their mobile number or OneKey token to their SingPass account, which IDA strongly encourages users to do so as soon as possible.

There will be a one-year grace period when the current method of login will still be accepted. From July 5, 2016 onwards, it will be mandatory for users to have 2FA activated in order to use their SingPass login.

According to the IDA, 33 government agencies and statutory boards such as the Central Provident Fund Board, Ministry of Manpower, and the Media Development Authority of Singapore will be 2FA-enabled upon launch.

Currently, only 60% of e-government services require 2FA based on a policy guideline set by the Ministry of Communications and Information.

This guideline identifies critical services and the criteria for determining which of these services, dealing with sensitive data or transactions, would need to implement additional security.

Ease of access

SingPass’ current 3.3 million users will also be able to customise their userID, though the change can only be made once.

Users will also receive notifications if key profile information has been changed, to aid faster detection of any illegal access to their SingPass account, IDA executives said.

On the usability side, enhancements include mobile optimisation, a simplified interface, as well as the option to view their transactional history online. Captcha images will also be made easier to decipher.

These enhancements are intended to make things like password retrieval and changing much easier through security questions and access to a mobile phone.

The majority of password resets and changes occur at SingPass counters or via mail, inconveniencing most users, according to IDA.

Securing identities

Enhanced SingPass with added security goes live July 5 The security enhancements come in the wake of a breach in June 2014, in which over 1,500 SingPass accounts had potentially been accessed without the users’ permission, according to a report in the Straits Times.

The IDA has been taking on-going measures to strengthen security in the lead-up to the new enhancements, IDA managing director Jacqueline Poh (pic) told the media briefing on July 2.

Some measures – such as making users change to strong passwords (six characters with a combination of letters, numbers and symbols) to Captcha images to mitigate brute force attacks – have already been implemented over the years.

Regarding the move to 2FA, Poh said, “Singapore is one of the few countries in the world that has digital identities for its citizens and permanent residents, which many countries are struggling with.

“What we’ve done is to add to this digital identification, a digital authentication layer to say that this is me, and that this is really me.

“This will facilitate a wider range of government digital services in the future and make the existing services more secure,” she added.

IDA said it has also enhanced its capability to detect suspicious activity using a fraud analytics engine.

For less digitally inclined senior citizens, the agency has put in place programmes such as the Silver IT Fest to reach out and educate them on how to use their SingPass, part of the IDA’s Silver Infocomm Initiative (SII) which aims to help senior citizens pick up basic IT skills and applications.

Asked about challenges in driving these enhancements, IDA said that a key consideration was finding a balance between usability and security.

In a statement released by the IDA, Poh said, “Over the years, the Government has put over 200 e-services online through SingPass in order to enable swift and convenient transactions with the Government.

“With the rise of cyber-threats in Singapore and globally, we have added security measures like multi-factor authentication to protect SingPass users’ personal data.

“We urge all users to avoid using the same passwords for different purposes and to avoid sharing their account information with others,” she added.