Home & Office

More S'pore govt transactions to go 2FA

newsmaker Singapore pads up online capabilities and works on protecting transactions dealing with sensitive data, such as healthcare, with two-factor authentication, says IDA infrastructure chief.
Written by Vivian Yeo, Contributor on
Khoong Hock Yun, IDA

newsmaker Few have had the opportunity to influence Singapore's ICT journey as much as Khoong Hock Yun did in his decade-long tenure at the Infocomm Development Authority of Singapore (IDA).

The IDA Assistant Chief Executive, who oversees infrastructure and services development, spearheads Singapore's ambitious next-generation national broadband network which aims to avail ultra-high speed Internet connectivity to homes, businesses and schools by 2012. Khoong also oversees the Wireless@SG initiative, which provides free public wireless hotspots within the island-state, and the National Grid, among others.

Also under his purview is the revised National Authentication Framework (NAF). Having made news headlines recently in June, the NAF is now positioned as a government-led common authentication layer. It will be run by an Authentication Operator (AO) which is a wholly-owned subsidiary of IDA, but the building and operations of the NAF infrastructure will be outsourced to a third-party via a Request For Proposal (RFP).

In an interview with ZDNet Asia, Khoong explained why the government had to change its approach with the NAF and discussed Singapore's ICT focus going forward.

Q: How different is the current NAF compared to that envisioned at least three years ago?
Khoong: The first stage was really like a market test. Our preference has always been for the private sector to lead this project and the government to help in any way we can. What we found out from the Call for Collaboration (CFC) was that the companies were not able to meet the outcomes we wanted which included adoption figures and setting in place a nationwide authentication framework.

The key issue then was really one of trust. The banks, in particular, saw no value in a pure private sector entity trying to own the NAF because they themselves are already held to quite high standards of performance. They weren't sure if a private-sector company would be able to perform to the standards required, especially for something that is going to be nationwide.

During the CFC, as these issues became more obvious, we went to talk to the banks. Some of them wouldn't even grant meetings to the NAF bidders--it was that bad. IDA, together with the support of the Monetary Authority of Singapore, went to meet the banks and they basically questioned why they should trust those parties. They understood that the initiative was valuable from a national perspective but they weren't convinced about the business model. So we asked, "Would you trust the government to do it?" and they said yes.

So it became clear there should not be a CFC but a RFP for an outsourced provider. That's how it sort of evolved. Three years ago, the question really was "Can the private sector do this?" We found out at that point in time, the answer was no. So the government had to do it.

But does it mean that in five years' time, when the market is developed, the government still needs to do this? What we're trying to do now is build a market for authentication--a market that includes banks, securities companies, healthcare providers and maybe community organizations. If the bigger market is established and people see how a national authentication framework can work, would it make sense then to have the private sector run this? That is something I think the government will seriously consider. If the time is ripe and certain standards of performance are well-established, then we will see whether it makes sense to privatize this thing and get other operators in.

If we do take that route in the future, the government will put in the necessary regulatory framework to ensure there is equal competition. So we actually have built a scenario of exiting the market even before we started. But, we think at this point in time we can't do this without the government owning and taking the lead in building the market--the feedback was it was just not practical otherwise.

Has the AO been established and where will the resources come from?
It has already been established and registered as a company. There will be a core team that is being hired but most of the manpower resources will be outsourced. So the RFP is really for people to come in, build and operate the system under the supervision of the core team.

What are you looking for in this outsourcing partner?
The party must set up the necessary authentication system, work with service providers so that it can be integrated together with their systems, and work with the token providers to acquire the physical tokens and distribute those tokens on a national basis.

The distribution will be quite a challenge. It also has to meet all the service level requirements that we've put in the RFP.

The IDA is looking at a single authentication mode for the national system?
For a start, we are supporting the one-time password (OTP) mechanism used by banks as the second authentication factor. We will be supporting both the physical token OTP as well as the SMS (short messaging service) OTP. We chose to take this route at the beginning because getting the banks and securities industry on board is useful for us and OTP is probably the most widely deployed mechanism out there. Once the NAF system becomes stable, we will be open to looking at other authentication mechanisms.

When the NAF kicks in, what do the existing authentication service providers such as banks have to do in terms of infrastructure? If they want to ride on the NAF, do they have to give up their authentication infrastructure completely?
I suppose it depends on the end-user. If the end-user is a Singaporean or permanent resident and already is in possession of an NAF authentication device, then it is easy for them to move away from their own infrastructure.

There may be a need for the existing providers to equip other people who are not covered by the NAF for whatever reason. Their infrastructure could also be used to process transactions from other countries.

For existing institutions like banks that have their own physical, software or SMS tokens, how then will those fit into the NAF when it's ready? Will their hardware tokens be made redundant?
The timing is quite important. The banks have implemented their tokens for the last four to five years, and tokens usually have a shelf-life of about five to seven years. This is about the time when they would be thinking about refreshing the tokens, so therefore they can then consider whether it makes sense for them at this point in time to move on to NAF or would they rather a parallel system and then progressively migrate.

We hope the NAF, if it gains a certain mass of adoption, would be a far more cost-effective option for them than if they were to manage the authentication themselves. Probably as a bank they need to have the assurance that the NAF would be able to do a good, if not better, job than that done in-house. Anyway, authentication is not necessarily core to a bank--they just need to have it. From that point of view, this is a chance to outsource some of the activities that is not core to their business.

We think that over time, when more and more services are cross-functional, it would make a lot more sense for the banks to come on board. For example, say, you go to the CPF (Central Provident Fund) Web site and you would need to authenticate to perform more sensitive transactions such as capital repayment. If subsequently there are services on healthcare insurance that you wish to purchase, your healthcare records need to be accessed and again authentication is required. You may then choose to pay for the insurance using, say, DBS Bank. What you don't want is within the same transaction, to have to use three different tokens. It becomes unwieldy. We hope that at some point in time, it will make very obvious sense for the banks to be on board the NAF. Not just from a cost and focus point of view, but also from the point of view that it will open up a far wider set of transactions for them. Because other parties providing services to people, especially the government, will be using the NAF, it'd be easier if they were also a part of the system.

Does it mean that when the NAF is ready, some government services that deal with sensitive data will have a second authentication factor?
Yes. As the government moves to the next level of transaction capabilities, there will be certain information that are more sensitive so you would want to ensure you have much better control of that type of information. Currently, our e-government transactions are quite wide-ranging, but public agencies have to stop at a certain level because of the nature of the data--the NAF helps to remove that limitation. There are, of course, not that many of such transactions.

Won't service providers like financial institutions have little choice but be part of the NAF? Because when the national tokens get in the hands of users and citizens, they are not going to like it if their bank is not seamlessly integrated with the national system?
A lot depends on the business considerations of the service provider. End-users can also make requests to their service provider for certain things to be supported.

We do see that some banks should have good reason to come on board. Some of them don't use hardware tokens because it's far too expensive for them to even implement. For them, this becomes an option that is useful. Some banks may not have as large a customer base so if NAF comes in and gives them an offer, why not?

The securities industry is now beginning to go into second-factor authentication so there is a window for them to come on board. The hospitals will start moving toward two-factor authentication (2FA) for access to patient records and more sensitive information. So as they move forward, would it make sense for them to implement their own system because they don't have the scale? It would make sense for them to use NAF. Our job in NAF is to make sure it does exactly what it says it does in a highly secured manner and on a cost basis, run at a scale which gives cost benefits to all end-users.

In the event that the national authentication services fail, where do citizens put the blame?
There is a complete liability framework that has been worked out. Such practices are already in existence based on what has been done in many of the banks. There are certain agreements all users sign up to anyway, so those things don't change. Between the banks and the AO, there will be a contractual agreement about the circumstances under which liability is tied and to what party, like in any outsourcing contract.

End-users still deal with the same entities such as banks; nobody should deal directly with the NAF other than registering for the token. Other than that, NAF will be totally invisible to them.

Moving away from the NAF, the Singapore government has been focusing a lot on broadband infrastructure and improving broadband speeds over the last few years. Now that the NBN is in the rollout phase, where will the emphasis be going forward?
The NBN project will last until 2012 when we reach 95 percent of households and beyond. We have also put in place certain requirements for open access and the industry is also being restructured--some of this restructuring takes time to implement. So we see ourselves being busy with this initiative for a reasonable amount of time.

As the infrastructure gets in place, the focus moves to services--how to enable the various industries to make better use of next-generation services. IDA's work has been moving very much into how infocomm technology can transform various sectors such as logistics, banking, construction. It's about how they can be more interconnected with their suppliers and business partners.

In the past, people were just only becoming more aware of how they can use ICT. Now, I think we've reached a certain maturity stage where people would like to implement technology. The broadband network will help in that respect--having lower connectivity charges will be a boost. At the same time, the IT industry should also see an opportunity to help many businesses and consumers be better prepared for many of the changes brought about by pervasive, high-speed and cost-effective connectivity.

The NBN is on track to be rolled out to 60 percent of homes by the end of this year. What were some of the lessons learnt? What challenges did the IDA face?
We always knew one of the biggest challenges would be getting fiber into the home. Singaporeans are very home proud and pulling in a piece of fiber or any form of wiring into the home is a challenge. So we try to do as much as we can to mitigate that hesitation by making sure it is free for the first 15 meters as the lines are being laid in the precinct.

We also try to make sure that OpenNet (the appointed network company) continues to do their best in terms of minimizing the amount of time workers need to be in the home. The challenge of course is that different homes present different situations. Some are fairly new so the ducts are okay. There are many other homes where the ducts may not be so good and that's when it's harder to wire.

But more importantly, we see this as an infrastructure that will last for the next 25 to 50 years. Although it's hard to get into the home, once we get in, the resident can be assured we will not need to ask another party to pull another piece of wire into his home for some time to come.

What has the take-up rate been? What proportion of home owners actually want the fiber in their homes?
So far, what OpenNet has reported is that 50 percent of homes do let the fiber in. It's encouraging but we certainly think it can be much better. We hope that as more and more people understand what is happening, the take-up will get better. To some extent, when the services actually go live, hopefully, people will see what they are missing out on and start to change their minds.

How is Wireless@SG moving along? Why is there a deadline tied to the free service?
Wireless@SG is driven by the private sector with support from the government. Any private sector tie-up obviously will want to put a cap on the validity of a free service.

Right now, we are trying to work together with the providers on the concept that businesses can be persuaded to adopt Wireless@SG for functions needed by those commercial entities and at the same time, allow some of the bandwidth to be used by the public for free surfing. Some of the malls, for example, are beginning to put in security cameras in the premises running on a more secure implementation of Wireless@SG. We hope this concept makes the initiative more sustainable for the service providers.

In any case, the value of Wireless@SG is really transforming Singaporeans to become much more users of wireless broadband. When we started several years ago, very few people were using wireless broadband and the telcos weren't prepared to invest in high-speed networks. It was a chicken and egg problem--the telcos argued there was no take-up and therefore no reason to deploy; the users blamed network speeds for the lack of use. So IDA went ahead to implement Wireless@SG.

As people understand more and more about the value of wireless broadband, maybe at some point in time, the value of being always being connected and doing things on the move will cause them to actually be willing to pay for the services they want. Right now, a lot of people on 3G networks are paying for the mobility. To be honest, when we started Wireless@SG we never asked for it to be free--it was the providers which offered it free.

Which malls have already implemented Wireless@SG throughout the premises?
City Square Mall. As far as I understand from the service providers, more are asking for such implementation. The service providers themselves are also trying to encourage other malls to do so.

Editorial standards