SingPass process simplified for users to adopt 2FA
SINGAPORE — About six months after rolling out a two-step verification process for SingPass users to strengthen data security on the Government’s e-services system, the Infocomm Development Authority (IDA) of Singapore, the portal’s manager, has simplified the set-up process, after users’ feedback that it was rather complex.
The public has until July 4 this year to sign up for the two-factor authentication (2FA), failing which they will not be able to perform sensitive government transactions online, since more than 100 government e-services, including those by agencies such as the Central Provident Fund Board, will require this 2FA from July 5.
The simplified sign-up process, which kicked in on Tuesday, sees users registering for the 2FA on the SingPass website and choosing how they would like to receive one-time passwords – which is the extra verification step – whether by SMS, or both an SMS and a security token.
A code will then be sent in a mailer within seven working days of the users’ registration, so that they can activate this two-step verification.
Activation can be done by SMS (to 78111) or via the IDA’s subsidiary Assurity Trusted Solutions’ website (https://portal.assurity.sg/activate).
Previously, users had to visit three different websites to register, activate and link their 2FA.
There are no figures available on the number of SingPass users — which total more than 3.3 million — who have set up this two-step verification since the enhanced system took effect last July.
To ensure that more users register soon for this protection measure, the IDA is allowing the public to register by SMS from mid-February, if they are not doing it via the SingPass website. From mid-February, the IDA will also be automatically registering, in batches, those who have not done so by then. The onus of activation will, however, still rest on users.
Mr Kwok Quek Sin, IDA’s director of government digital services product management, noted that the decision to simplify the process took into account user feedback and was part of continuing efforts to improve the usability of SingPass.
The enhanced security comes after several high-profile breaches involving SingPass in recent years. In 2014, more than 1,500 SingPass accounts were hacked. About one-quarter, or 419, of these users had their passwords illegally reset.
Earlier this week, a 39-year-old Singaporean, James Sim Guan Liang, pleaded guilty to harvesting in 2011 the personal details of 293 SingPass users, who had used their identity card numbers as the password for their accounts. Sim then sold the information to a China-based syndicate making sham visa applications for Chinese nationals seeking to enter Singapore.
CORRECTION: In an earlier version of this story, we reported that more than 100 government agencies will require the 2FA for their e-services. This is incorrect. More than 100 government e-services will require this 2FA from July 5. We apologise for the error.
