Participation key to S'pore 2FA framework

update Singapore's national authentication framework needs critical mass of transactions, observers say, but local banks may choose to retain their own two-factor setup for now.

update Singapore's national authentication framework (NAF) needs a critical mass of transactions and an expanded scope to succeed, say industry players familiar with the framework.

First announced in 2005, the NAF is the platform on which the country endeavors to provide strong authentication for transactions between the government, private sector and citizens. Last October, the Infocomm Development Authority (IDA), acting as the government's CIO, issued a Call For Collaboration (CFC) to seek Authentication Operators (AOs). Selected AOs will be tasked to provide two-factor authentication (2FA) offerings to service providers in the government, finance and healthcare industries.

The CFC was originally due to close on Jan. 31, but the IDA later revised on its Web site the deadline for submissions would be Feb. 28.

Although unwilling to share details on commercial and technical issues, industry observers making bids for the NAF told ZDNet Asia the framework's success depends on the adoption by both service providers and end users.

Tan Teik Guan, CEO of Data Security Systems Solutions (DSSS), pointed out that Singapore's low population--despite its high Internet penetration rates--is one of the biggest challenges for the NAF.

"Running a highly secure, highly available authentication infrastructure is costly and requires a critical mass of transactions in order to be commercially viable." he explained in an e-mail interview.

Tan Sian Lip, vice president of consulting and solutions at CrimsonLogic, noted also in an e-mail interview that widespread adoption is a key success factor for the NAF. To drive this, there should be strong government leadership, he said, adding that the chosen authentication offerings and services must also be attractive for users.

CrimsonLogic's Tan added that the focus on the government, financial and healthcare sectors may not be enough, but it would be a case of the "80-20 rule", where 80 percent of the demand for secure transactions would be derived from these industries. "Other newer sectors like online games and new media have not given indications of substantial needs for NAF-type services," he noted.

Ang Kwang Tat, CEO of ANTlabs (Advanced Network Technology Laboratories), pointed out in an e-mail there will be some challenges for NAF AOs to note and overcome. "Besides the fact that it is a multi-million dollar investment on the part of the AOs and the government, there is some uncertainty on the timeframe for the ROI (returns on investment) since the uptake of the services from both end-users and the individual service providers like online portals and Web services is unknown at this time," Ang explained.

"Another possible challenge is reaching out to end users to market--logistically register and distribute any hardware or software. This will slow down the takeup rate even though there is a legitimate and important need for the 2FA OTP (one-time password) authentication service," he said.

DSSS' Tan noted the potential for the NAF to expand its scope. "At the onset, the AOs are expected to offer per-transaction charging, per-user charging and an unlimited usage model.

"I believe that as the NAF matures, there is scope for much more differentiated offerings, such as authenticating high-value transactions which can attract an insurance component, or tie-ups with cross-border authentication infrastructures in other countries such as Korea or the United Kingdom," he added. "For now, I think operators will simply concentrate on getting as many service providers and customers as quickly as possible.

According to Tan, "quite a number of government agencies" have indicated they will consider using the NAF. The framework could also "prove to be a cheaper option" for some foreign banks.

ANTLabs' Ang said government portals that tap on SingPass, such as the Central Provident Fund and Inland Revenue Authority of Singapore sites, would likely be key target parties for AOs. Such organizations would likely pay a "lump sum, annual service fee for basic services", he said.

"If the individual users opt for more sophisticated mechanism, such as requiring additional hardware, for example, they can purchase these mechanisms individually," explained Ang. "For example, an online gamer who has amassed thousands of dollars of treasure value in an online game will not bat an eyelid to pay fifty dollars to buy special hardware or additional software to prevent the password from being stolen. Similarly, a blogger who has a very popular online blog with a good following of readers, don't want someone to log into their account and create havoc by posting indiscriminately."

On the other hand, user organizations--online portals or Web services providers--may subsidize or sponsor the authentication equipment in return for greater loyalty or more business from VIP users, he added.

Business models may also differ depending on the type of revenue models of the user organizations, he said. "For Web services with fewer users, the AO may charge them by user accounts or transactions depending on what makes sense, and depending on the Web service.

"To a bank, for example, it may make sense to buy based on user accounts since they can predict clearly the existing customer numbers, compared with their transactions, while for a online merchant with transient users that come and go, or where they can't register a user beforehand, a per-transaction model may be more applicable and help control the cost of operations," he added.

Banks may stick to own 2FA systems
Local banks, however, may not want to jump on the NAF bandwagon for now, DSSS' Tan noted. Existing 2FA investments are "still good" and remain relevant as the banks serve both local and foreign customers, Tan explained.

"Assuming that the AOs offer per-transaction pricing, it would mean that the local banks can join the NAF but [they] may not direct most of the authentication traffic to the NAF," he said. "My guess is...when the cost of token replacement exceeds the cost of using the NAF, the migration would become natural.

Pointing out that there are currently no plans to make it compulsory for banks to use the NAF, CrimsonLogic's Tan said banks that do not participate in the NAF will have to continue to operate their respective 2FA infrastructure. Renewal is also necessary as existing tokens used by banks will expire in the near future, he added.

Those that do participate in the NAF will be required to perform "one-time changes to integrate their systems with the NAF", he noted. Existing bank tokens will be replaced with NAF authentication measures, and NAF operators will provide support to end users and participating organizations.