Saturday, 6 June 2015

SingPass beefs up security with one-time password

Users checking e-govt accounts will have option from next month
By Irene Tham, Technology Correspondent, The Straits Times, 5 Jun 2015

FROM next month, SingPass users checking their Central Provident Fund Board (CPF) and Inland Revenue Authority of Singapore (IRAS) accounts will have the option of using a one-time password (OTP) to better secure their e-government transactions.

The password - which is generated randomly on a "OneKey" calculator-like token or delivered by SMS - is part of a systems upgrade launched after more than 1,500 SingPass accounts were breached a year ago.

Three of the accounts breached were used to make fraudulent applications for work passes.

SingPass grants Singapore residents access to 340 e-government services.

It is hoped the OTP will make SingPass accounts harder to hack into. The OTP is entered in addition to the usual SingPass and username, which is the user's NRIC number. The added layer of security is known as two-factor authentication.

SingPass maintenance messages have been put up on the SingPass, CPF and IRAS websites, alerting users that the online services on these sites will not be available from 10pm tomorrow to 10am on Sunday.

All e-government services will also be unavailable from 10pm on July 4 to 10am on July 5 due to a final round of SingPass maintenance, after which the enhanced SingPass will be launched.

The Infocomm Development Authority (IDA) has confirmed that the CPF Board and IRAS will be among a number of government agencies that will start using the enhanced SingPass after its launch next month.

It is not known whether the Manpower Ministry, which was affected by the breach last year, is included in the initial list of government agencies. No further details were given.

An IDA spokesman said: "In preparation for the launch, we will be conducting system testing, which may result in users experiencing some intermittent access issues or not being able to use the service."

Earlier in the year, a government bulk tender was awarded to IDA subsidiary Assurity Trusted Solutions to supply the OneKey devices to all Singapore citizens and permanent residents.

They are already being used by 600,000 online investors and members of the National Trades Union Congress. Existing users of OneKey can use the same token to access e-government services as part of the enhanced SingPass.

Singaporeans and permanent residents can register for OneKey at

Users can also opt to receive the OTP via SMS, depending on whether the transaction is highly sensitive. IT consultant Nigel Tan, 28, said: "I would choose SMS over tokens for generating the OTPs for now, unless the banks which have issued their own tokens switch to OneKey."

No comments:

Post a Comment