SINGAPORE--The Infocomm Development Authority of Singapore (IDA) has revealed that it is planning to open a tender for operators to provide two-factor authentication (2FA) services to public sector agencies, as part of its wider plans to drive 2FA adoption in the country.
This may see new players joining the arena to provide 2FA services with, a wholly-owned IDA subsidiary set up operate the National Authentication Framework (NAF). The is a national project aimed at improving the security of online transactions, which has so far been tapped on by the financial sector including some securities trading firms.
"[We have] been working closely with the agencies that may require a stronger level of authentication and studying our collective requirements to prepare for an open tender, which these agencies can tap on to procure 2FA services if needed," an IDA spokesperson told ZDNet Asia.
ZDNet Asia understands that the open tender is likely to take place by year-end.
E-government services need 2FA
Singapore's e-government services should adopt two-factor authentication (2FA) as an extra security layer, industry watchers told ZDNet Asia.
Compared to the current first-factor authentication (1FA) where users only key in their usernames and passwords, 2FA provides an additional layer of protection against online attacks, as users will have to provide a one-time password (OTP) received through their designated mobile device or physical token, elaborated Ng Kai Koon, senior manager legal and public affairs of Symantec Singapore.
In light of recent e-government account hacks and a security landscape today with more sophisticated cybercriminals, these services should start adopting two-factor authentication (2FA) as a security layer, or make use of the National Authentication Framework (NAF) to secure important transactions, observed Ngair Teow-Hin, CEO of security vendor SecureAge.
Ngair was responding to two Singaporeans' complaints of their e-government accounts being hacked.
Singaporean Raymond Lim complained on Facebook that his SingPass account had been hacked and used to sponsor the visa application of Chinese nationals. SingPass or Singapore Personal Access" is a single ID and password to transact in some government online services. The case comes after another Singaporean Andy Ho, claimed also on Facebook, that his passport had been fraudulently used to sponsor seven unknown people into Singapore.
When queried over e-mail by ZDNet Asia about the hacking claims, IDA did not address the issue directly. "We take this opportunity to advise the public to use stronger passwords, change them regularly and be vigilant in protecting the confidentiality of their passwords," said the spokesperson.
Beware costs and inconvenience
With 2FA adoption for e-government services, additional costs may be incurred by operators or the users, Ngair warned. Users may also feel inconvenienced with another authentication device that they may need to carry around, he explained.
For one, Olivia Chu, a marketing executive, told ZDNet Asia that while she felt safer if there was 2FA in place, she would find it "very inconvenient" as she already has difficulties remembering her password.
The SingPass system has also been in use for a long time and some people do share their account passwords to facilitate ease of performing company-related transactions, Ngair added. Introducing 2FA would stop such sharing but may lead to lower productivity in performing routine transactions, he explained.
In order to successfully adopt 2FA, risk and convenience must be balanced, Chai Chin Loon, chief operating officer of Assurity, a subsidiary set up by IDA to oversee operations of the nationwide authentication platform.
User education on 2FA awareness is important, he added, remarking that Assurity has been programs to educate the public on Internet security risks.