SINGAPORE: SingPass users who have not registered for two-factor authentication (2FA) will have more time to do so, the Infocomm Development Authority of Singapore (IDA) said on Monday (Jul 4).
There are 3.3 million SingPass users currently, of which 2 million are regular users, or those who have logged in more than once a year. Of these, 1.6 million have set up their 2FA while 400,000 of the regular users have yet to do so, said IDA.
As such, users who have yet to set up 2FA will be given an additional 30 days to do so when they log in to SingPass from Jul 5. For example, if a user logs in to transact with the Government on Aug 15, she is given until Sep 14 to complete her 2FA set-up. During this period, she can continue to access e-services involving sensitive data with just her password.
"This will allow them to perform urgent e-transactions while they set up their 2FA," the agency said. The majority of Government e-services will require 2FA for transactions from Tuesday, it added.
IDA said users who do not transact often with their SingPass can register for 2FA on a need-to basis. But it warned that those who transact more regularly leave themselves open to security risks, should they put off the 2FA registration.
"This grace period is granted because we recognise that people do need to do urgent transactions, said IDA's assistant chief executive Chan Cheow Hoe. "But this cannot last indefinitely, because security is important. And for regular users, the risk is actually significant. And the faster you register, the better it is."
One expert said potential attackers could be aware of the 30-day grace period and may use the opportunity to attack.
Mr Vitaly Kamluk, principal security researcher at Kaspersky Lab, suggested implementing a "1.5-factor" authentication security measure in the interim. "(For example), verify where they log in from ... and perhaps require additional verification of a secret question, or a home address," he said.
"It's something that Google actually does; they do force you to verify your identity by providing additional information that only you might know - without using two-factor authentication strictly."
Principal research analyst for security and risk at Gartner, Mr Anmol Singh, said that 2FA implementation should only require simple verification of mobile numbers instead of a process that "presents an experience of new user registration".
"2FA is about using (a) second factor for authentication and not for enrolling users," said Mr Singh. "On the security front, activating 2FA on a registered mobile number only requires one to know the NRIC, which (isn't) a secret anymore, and getting hold of the PIN mailer, which isn't too difficult either."
IDA said it will continue to monitor the take-up rate of the remaining regular users before eventually removing the grace period.