S'pore NAF to include man-in-the-middle safeguard

Singapore will introduce a souped-up version of a physical authentication token in the coming weeks as it prepares to roll out the National Authentication Framework (NAF), according to an executive at the government entity tasked to manage the platform.

Called OneKey, the token will include one-time password (OTP) generator for two-factor authentication (2FA), challenge-response technology, and transaction signing capability, Chai Chin Loon, COO of Assurity Trusted Solutions, revealed to ZDNet Asia in an interview this week. Assurity is the Infocomm Development Authority of Singapore (IDA) subsidiary set up to oversee operations of the nationwide authentication platform.

Transaction signing was included to protect against man-in-the-middle attacks, which are on the rise, he noted, citing last week's warning by the Association of Banks in Singapore (ABS) as an example.

The association had reported instances of malware designed to carry out fraudulent transactions during online banking sessions.

Typical 2FA transactions based on OTP can be easily exploited by man-in-the-middle attacks, Chai pointed out. Transaction signing will require users to key in their transaction details, which provides an additional layer of security.

Elaborating, the executive said transaction signing is not the same as certificate-based signing, which involves asymmetric key signing. OneKey will be based on symmetric key signing, whereby contents will be locked in the code and any attempt to change the contents by attackers will invalidate the code.

Users have the choice of using all three technologies for any transaction, Chia added. The additional steps would be "troublesome", he acknowledged, but explained that is the tradeoff for better security.

To be unveiled by the end of October, OneKey, manufactured by Vasco, is a palm-sized device resembling a calculator, with separate buttons for OTP, challenge-response and transaction signing as well as a numerical keypad layout. While slimmer, it is about twice the size of physical tokens issued by banks such as DBS and HSBC, which only include a button to generate OTP.

According to Chai, many people had expressed interest in credit-card sized tokens and software versions. However, the smartcards are costly with a short lifespan and no one has been able to "conclusively prove that" software tokens are secure, he pointed out.

That said, OneKey will not be the only token for the NAF system and with advances in technology, Assurity will be exploring the use of other OTPs on the vendor side and how it can be used, Chai noted.

Explaining the choice of naming, he said: "The name came about because we want users to treat this as a key to their transaction. Instead of carrying a large number of two-factor authentications, they only need [this] one key."

Year-end target for NAF launch
When quizzed on NAF updates, Chai said that it is "on track" to be rolled out closer to the end of the year. Assurity has been in contact with most of the industry players, mostly financial institutions, he reported.

"We are undergoing many stages of progressive tests as each part of the infrastructure is built," he said. "We need to meet stringent security requirements so there are many tests to be conducted and several compliance and certifications to be done."

The NAF had been announced in 2005 as a national initiative to improve Singapore's IT security landscape and was scheduled to roll out its services in the second half of this year.

In terms of difficulties faced in implementation, process defining was the main challenge, said Chai. Assurity had to build common set of processes that service providers can base 2FA on, from how to roll tokens out to users in a "trusted manner" and how users can transact online, to how to work with service providers.

Another challenge is public education--most users are only familiar with the OTP function so it would be necessary to put in more effort in educating them on the use of challenge-response and transaction signing functions.

Assurity, he shared, plans to persuade users that taking "reasonable security steps" can mitigate the many security risks online.

Currently, the company is developing online videos to guide users on usage of the token and has created a Facebook Page for OneKey to interact with users.

"To drive adoption, a lot of it is getting users to be comfortable that 2FA is an important aspect of online security," Chai said.

As the launch date of NAF draws near, service providers will begin pilot trials and users will be allowed to request for OneKey via their service provider Web sites. The token will be mailed to users, who then have to activate it using a PIN code sent separately, he explained.

With other developments such as the impending launch of the data protection law, Chai said the NAF rollout is a "part of the whole journey".

"Our whole existence is to help users take on better personal responsibility in securing their identity [and] improving user and personal data protection online."