Authorities issue formal advisory for private sector to stop using NRIC numbers as passwords, authentication
Companies should stop using NRIC numbers as passwords to authenticate people’s identities, say the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA).
A man handing over an NRIC for scanning. (File photo: CNA/Zhaki Abdullah)
This audio is generated by an AI tool.
SINGAPORE: Private sector organisations should stop using National Registration Identity Card (NRIC) numbers to authenticate individuals or as passwords, said the Ministry of Digital Development and Information of Singapore (MDDI), citing risks of impersonation and data breaches.
The Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) issued a formal advisory on Thursday (Jun 26), guiding companies to stop using NRIC numbers to prove a person’s identity.
“While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be … for the purposes of trying to gain access to services or information meant only for that person,” said MDDI.
The ministry noted that currently, private sector organisations may require people to use their NRIC numbers as passwords to access information intended only for them, such as in insurance documents.
“It is unsafe for organisations to use NRIC numbers in this manner because a person’s NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or record.”
Hence, companies that are using full or partial NRIC numbers for authentication purposes should move away from this practice as soon as possible, said MDDI.
This includes not setting NRIC numbers as default passwords in password-protected files sent via email, and not using the full or partial numbers together with other easily obtainable personal data, such as date of birth.
“If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,” said MDDI.
The ministry added that the government is also working with regulated sectors, including finance, healthcare and telecommunications, to develop sector-specific guidance in the coming months.
The government has been working to ensure the proper use of NRIC numbers in the private sector since January to better protect citizens, said MDDI.
The director of the Association of Banks in Singapore (ABS) said in a statement on Thursday night that there are "limited non-transactional circumstances" where NRIC numbers are used for authentication. This includes opening encrypted documents sent by email.
"In this regard, the industry is exploring alternative authentication methods in line with today's advisory," said Mrs Ong-Ang Ai Boon.
ABS said in December that banks were conducting a "thorough review" of their practices on the use of NRIC numbers.
It also assured consumer banking customers that NRIC numbers alone cannot be used to effect payment and fund transfers as multiple layers of authentication are used.
In January, Minister for Digital Development and Information Josephine Teo said in a ministerial statement that private sector organisations that are using NRIC numbers as authentication factors or default passwords should stop this practice as soon as possible.
Mrs Teo said at the time that those organisations which collect partial NRIC numbers to identify people can continue to do so, and that the ministry would only consider how the guidelines on NRIC number usage in the private sector should be updated after consulting the public.
The move followed public backlash in December 2024 over the launch of a new Bizfile portal by the Accounting and Corporate Regulatory Authority (ACRA), which exposed names and full NRIC numbers for free via its search function.
