Two-factor authentication should be rolled out

Two-factor authentication should be rolled out

News broke yesterday that the personal data of some 1,500 residents here may have been accessed illegitimately.

A mass security incident on such a scale must raise the question: Is it time to speed up the introduction of additional security checks for a national system that has more than 3.3 million registered users and supports 57 million e-government transactions?

Piecing together what might have happened from the account given by the Infocomm Development Authority (IDA) yesterday, it seems that whoever were the perpetrators could have used brute force attack to gain access. This means trying out a range of easy passwords on random accounts, or running malware on users' computers.

The security incident is still under investigation and it is too early to make any conclusions yet.

But what seems clear is that a second layer of defence involving the use of a one-time password (OTP), known as two-factor authentication (2FA), would likely have been a far stronger defence against illegal access.

In a 2FA-protected system, a user cannot just enter a user-id and a password to gain access to his account. A one-time password is sent to his mobile phone or generated by a special token. This second password must be entered before he is granted access.

So even if the perpetrators were able to randomly guess a user's weak password, he would not be able to access a 2FA-protected account unless he received the second password by mobile phone or generated it on a physical token.

In August 2012, the IDA actually put out a tender for a new SingPass system that would provide 2FA to protect access to e-government services.

But the tender attracted only one bid, which was from Assurity Trusted Solutions, a subsidiary of the IDA. There was no award for the tender for reasons that were not disclosed publicly.

In June last year, another 2FA tender was put out. This time, the IDA asked for an enhanced SingPass system that could support "any 2FA services that government agencies might choose to subscribe to in future".

No decision on this tender has been announced.

Given the latest incident, the public will want a decision to be made soon.

After all, SingPass is the mother of all passwords, and is the passport to all kinds of citizen records.

With SingPass access to someone's account, one will know how much he earns, where he stays, and even what car he drives.

To counter increasingly sophisticated hacking techniques, the Monetary Authority of Singapore has already required all financial institutions in Singapore to implement 2FA protection systems.

More about

Hacking singpass
Purchase this article for republication.



Your daily good stuff - AsiaOne stories delivered straight to your inbox
By signing up, you agree to our Privacy policy and Terms and Conditions.