Singapore adds 2FA security to e-government services

SingPass users will need to set up the two-factor authentication process in their account, linking either their mobile number or the country's national 2FA token, OneKey.

An additional authentication measure will be rolled out for Singapore's SingPass account requiring users to go through a two-step login for access.

The two-factor authentication (2FA) process will be officially launched from July 5, alongside an improved user interface and mobile features, according to ICT regulator Infocomm Development Authority of Singapore (IDA). There are more than 3.3 million SingPass accounts, which citizens use to access over 340 e-government services including filing income taxes, checking balances in the national retirement fund, and registering new businesses.

IDA said the enhanced system would feature clearer instructions and more intuitive account management features, making it easier to navigate the site and transact. They also will be able to access their account via their mobile devices and update their account details more easily.

SingPass users will be required to use 2FA for transactions involving sensitive data such as financial or health information, as well as services that need high level of identity assurance. These will initially comprise more than 100 e-government services, including those provided by the Inland Revenue Authority and Ministry of Manpower.

With the added security measures, SingPass users will need to provide and verify their mobile number and e-mail address, and provide a set of security questions and answers. They will then have to set up their 2FA option by registering, activating, and linking the national 2FA token--OneKey--or mobile number to their SingPass account.

IDA Managing Director Jacqueline Poh said: "Over the years, the government has put over 200 e-services online through SingPass in order to enable swift and convenient transactions with the Government. With the rise of cyberthreats in Singapore and globally, we have added security measures like multi-factor authentication to protect SingPass users' personal data.

"We urge all users to avoid using the same passwords for different purposes and to avoid sharing their account information with others," Poh added.

There had been several security breaches involving SingPass including one in June 2014, which affected 1,560 users who received notifications their passwords had been reset, despite not requesting to do so. IDA then suspected the users' accounts might have been accessed without their permission. Minister for Communication and Information Yaacob Ibrahim also noted that the breach was not the result of vulnerabilities in the SingPass system but of weak user passwords or malware.

Last month, IDA also issued a warning about a phishing e-mail scam in which recipients were asked to click a URL to verify their SingPass login details.