Two-factor authentication for SingPass to be implemented next year

SINGAPORE — The Government will be implementing two-factor authentication for e-Government transactions, especially for those involving sensitive data, starting from the third quarter of next year.

The two-factor authentication will take place either by Short Messaging Service (SMS) or hardware token — with the latter possibly being mandated by agencies for certain sensitive transactions.

Notification letters are also currently being sent out to users who have inactive SingPass accounts about resetting their passwords. These users will have 14 days to change their passwords, before their accounts are deactivated.

The resetting of passwords is done when unusual activities are detected on SingPass accounts, or the accounts have been inactive for three years. This is common industry practice and does not mean that the accounts have been misused or compromised, said the Infocomm Development Authority (IDA) today (Nov 27) in a media release.

“We continue to strengthen the SingPass system to protect users and enable them to transact safely online when using SingPass,” said Mr Chan Cheow Hoe, Assistant Chief Executive in the Government Chief Information Office of the IDA.

Minister for Communications and Information Yaacob Ibrahim had in July told Parliament that government agencies will be required to implement two-factor authentication for online services involving sensitive data or transactions. In June, about 1,560 SingPass accounts were found to have been compromised. Their account profiles were illicitly updated to be tied to a disproportionately small pool of mobile numbers that had been registered in Singapore. Three of the compromised accounts were found to have been fraudulently used to apply for six work passes.

Investigations revealed there were no vulnerabilities uncovered within the system, Dr Yaacob had said, but added that the system can be strengthened.

SingPass is a gateway to more than 350 e-services and since its launch in March 2003, has seen several enhancements, including prompts to change passwords to stronger ones every two years and any changes made to the account holder’s key personal information will trigger a notification letter to be sent to the user to verify the change.