Banks mum on S'pore NAF signup

National authentication services on track to launch mid-2011 but banks operating in Singapore yet to commit to government-led initiative. Convincing early adopters will be key to success, says analyst.
Written by Vivian Yeo, Contributor on

Singapore's national authentication framework (NAF) is set to go live over the next few months, but banks operating in the country have yet to endorse the platform with their participation.

In an e-mail interview with ZDNet Asia, a spokesperson from Assurity Trusted Solutions--a subsidiary of ICT regulator, Infocomm Development Authority of Singapore (IDA), set up to oversee the NAF--said the two-factor authentication (2FA) service is on track to be rolled out from the second half of this year. He added that system is currently being built and "progressing well".

Participation from banks is "important", given the NAF's goal of providing convenience to consumers by offering them access to multiple e-services using a single token, he said.

The Monetary Authority of Singapore in December 2006 mandated the use of 2FA in the local banking industry and this allowed consumers to become accustomed to the use of hardware, software or SMS tokens to generate a one-time password (OTP) as the second authentication factor. OTP is requested at login as well as for sensitive transactions such as third-party funds transfer.

According to the Assurity spokesperson, the company has been engaging "most of the banks" on a regular basis and they have "shown significant interest in the NAF".

However, he was unable to indicate how many banks have been targeted to participate when Assurity launches its service. "It is too early to predict this as every bank has to make its own assessment if it wishes to come on board the NAF. Banks will also need to consider the migration of their existing systems," he explained.

The IDA-subsidiary reiterated that it expects banks to "join the NAF platform progressively" because their in-house authentication implementations will need to be refreshed every few years. This is particularly relevant for banks that have invested in hardware tokens, as these devices typically have a shelf-life of between five and seven years.

"Banks can take the refresh cycle to seamlessly and progressively transit to NAF entirely in order to take full advantage of the cost savings [from switching to] the NAF platform," the spokesperson said.

Adoption not quite yet
Keith Lam, Asia-Pacific associate market analyst at IDC Financial Insights, also noted that buy-in from banks will signal greater benefit for consumers to sign up for the national authentication service.

Besides enabling customers not to have to manage multiple tokens, endorsement from the banks creates the "impression that the NAF is sufficiently secure" for the banks to be willing to switch, Lam said.

However, getting banks to come on board will take time, he pointed out. "Banks are typically more risk-averse when it comes to rip-and-replace exercises like this. They will often watch one another and choose to join later in the game.

"We can expect the switch to happen in the next two to three years, if it happens," he said.

According to the IDC analyst, cost savings--rather than security--will lure banks to tap the NAF, as their existing hardware infrastructures are already sufficiently secure. With the national platform offering hardware and SMS-based tokens for a start, banks looking to expand their OTP modes will find the NAF a cheaper option to do so.

But, at the same time, banks will face a "real challenge" in demonstrating returns on investment to their senior management.

Lam noted: "The challenge is in getting the first few banks to switch and after that, it will be easier for any internal business case justification or even as a strategy play for banks to remain relevant and competitive."

Banks not committed, yet
Banks, for now, remain cautious and non-committal, preferring to hold their cards close to their chests.

In an e-mail, Pranav Seth, head of e-business at OCBC Bank, would only reveal that the local bank is in the "preliminary stages" of evaluating the NAF and "in discussions with the relevant parties to see whether we can eventually work together".

A spokesperson from United Overseas Bank (UOB) said in an e-mail the bank is "prepared to explore" as long as the service can benefit its customers without compromising their security and privacy. "We trust that the national authentication framework will contribute to higher security technology standards and give customers more choices," she added.

Sandeep Lal, DBS Bank's managing director of consumer banking group e-business, noted that there are still some aspects of the NAF that are still being finalized. He told ZDNet Asia in an e-mail: "[DBS will] evaluate the proposal as these get addressed and make a decision that is best for our customers."

He acknowledged, however, that the provision of a standard authentication system will eliminate the need for individual parties to build "expensive systems of their own".

"It allows smaller businesses to participate and over time, it should increase confidence in the Web as there will be more accountability," said Lal.

"[On the other hand, though,] risk may be concentrated if it is with a single provider," he pointed out. "It needs to be managed so that there is no single point of failure."

"When implementing such a system, reliability is a key concern and service levels will need to be agreed upon by both the provider and key users. Risk and backup need to be monitored closely as businesses have different levels of requirements," Lal said. "Integration with existing systems will have to be considered and a track record needs to be established before critical applications are migrated over."

Citibank could not revert in time for the story, while Standard Chartered Bank declined comment.

Editorial standards