S'pore banks resisting NAF signup due to hassle, control

Regulatory administration and security doubts are key reasons why banks prefer to issue their own separate 2FA tokens, instead of leveraging common platform under National Authentication Framework.
Written by Ellyne Phneah, Contributor
OneKey, the 2FA token of Singapore's National Authentication Framework (Source: Assurity)

Banks are still hesitant getting onboard the National Authentication Framework (NAF) because of what they believe to be added regulatory compliance, and so they can have greater control over their own IT security.

According to Chai Chin Loon, COO of Assurity Trusted Solutions, the subsidiary of the Infocomm Development Authority of Singapore (IDA) set up to oversee operations of the NAF, only two banks--RHB Bank and ICICI Bank--have signed up for OneKey, the 2FA token of the NAF so far.

This is because banks have security and regulatory "concerns" when it comes to signing up for the NAF, he explained, speaking to ZDNet in an interview Friday.

If banks replace their own tokens with OneKey, they will completely outsource their authentication security to under NAF, Chai noted.

In 2005, the government announced a National Authentication Framework (NAF), as part of a national initiative to beef up Singapore's IT security landscape.

In January 2011, Assurity Trusted Solutions was appointed to oversee operations of the NAF.

In December 2011, the government launched OneKey, a physical 2FA authentication token to increase the security of transactions in the framework.

This includes potentially added hassle and inconvenience of having to work with another agency over security management. Bank may be especially nervy about changing status quo because regulators will "keep a close eye on it" because there are strict rules that govern security outsourcing, such as risk transfers and mitigations, which can cause regulatory issues for the banks, he said.

Using their own tokens also gives banks greater control over their IT security, especially in terms of availability and breakdowns, Chai added. For example, banks are able to distribute the tokens, or fix them when they spoil any time they want, as compared to OneKey which they may have to go through Assurity's customer service center to replenish supplies and for repair, he said.

According to IDC in a previous report, banks are more risk adverse when it comes to "rip-and-replace" exercises. "They will often watch one another and choose to join later in the game," it said.

Other than the two banks, seven trading firms and one insurance firm, NTUC Income have also signed up under the NAF, Chai said, adding the company was still in "talks" with vendors who require 2FA authentication, mainly from the financial, government and healthcare industry.

Convenience, durability will drive banks' uptake of OneKey
However, Chai "foresees" banks will sign up under the NAF over the next few years, in addition to their own 2FA tokens.

With OneKey, users have a choice of tokens, and have a "back up" login key should the bank's token break down, and can also be a form of "risk diversification" for the bank, he added.

He added that ultimately, users would choose to use OneKey instead of the bank token because it brought more convenience for them. With NAF's 2FA token, users can conduct transactions across all vendors of the National Authentication Framework, while a bank token is only able to conduct transactions across one service, he pointed out.

Some bank tokens also have durability issues, Chai pointed out. For example, a 2FA token which is flatter and longer is "innovative with great potential", but may have a shorter lifespan and durability issues, he pointed out.

"Due to the thinness, the battery lifespan may be affected, and when the card token flexes at a wrong angle, it may crack," he said.

Focus on increasing user base, education in 2013
Moving forward, Assurity hopes to continue push adoption of the NAF by gaining more users, Chai noted. For example, the company holds quarterly seminars for service providers interested in signing up under the NAF, he noted.

Currently, users will only receive OneKey if the service provider they are using signs up for the NAF, he explained. However, the company is working to see if users can register and get it from the OneKey Web site itself, he pointed out.

The company also hopes to continuing ramping up education and by getting users to understand the importance of 2FA, along with cyber threats, such as holding public road shows, exhibition and talks at tertiary institutions , he added.

Editorial standards