IDA extends sign-up period for SingPass two-factor authentication

SINGAPORE — Only about half of all SingPass users have set up two-factor authentication (2FA), so the Infocomm Development Authority (IDA) will give those who have not done so a 30-day grace period from when they next log in.

Users had been given till Tuesday (July 5)to set up 2FA in order to access a host of government services, such as with the Central Provident Fund Board and Inland Revenue Authority of Singapore. The move is an enhancement to the system to make transactions more secure.

In a media briefing on Monday (July 4), the IDA said SingPass users who have not set up 2FA will continue to be able to access these government e-services but will have to do so within 30 days the next time they sign in.

The authority said this is to allow them to perform urgent transactions in the interim.

The IDA has not set a date to end the 30-day grace period for SingPass users to set up their 2FA.

The IDA said 1.3 million of the 3.3 million SingPass users are non-regulars — defined as those who have logged in just once in the past year, or have not accessed government e-services at all. Among the remaining 2 million regular users, 1.6 million have set up 2FA.

Mr Chan Cheow Hoe, assistant chief executive of IDA, said: “We recognise that the remaining 400,000 regular users may need more time to set up their 2FA ... We will monitor the take-up rate of the remaining regular users and decide on when to remove the grace period at a later date. If we make the grace period indefinite, it will defeat the policy intent of implementing 2FA for better data security.”

He added: “It is all based on users’ needs. If they need to transact with the Government, they will apply for 2FA. If they don’t need to access any government e-service, they can still set up their 2FA later, when the need arises.” Mr Chan said that in the interim, a range of security measures, such as fraud analytics tools, will be deployed to ensure that users’ accounts remain secure even if they have not set up 2FA.

There have been several high-profile breaches involving SingPass in recent years. For instance, more than 1,500 SingPass accounts were hacked in 2014, and about one-quarter of these users’ passwords were illegally reset.

To set up 2FA, SMS “Register” to 78008, or log in to your SingPass account and click “Set up 2-step verification” under the Quick Links section. 

Once done, a PIN mailer will be sent to you within seven working days. Follow the instructions in the mailer to activate your 2FA.