One-time password a must for NUS data

One-time password a must for NUS data

SINGAPORE - All 50,000 staff and students at the National University of Singapore (NUS) will soon be required to use a one-time password (OTP) for everything from e-mail to online lessons and human resources data.

NUS will be the first tertiary institution here to mandate varsity-wide use of OTPs, which are randomly generated by a token or sent via SMS.

Such passwords are entered on websites in addition to the usual user name and password in a process called two-factor authentication (2FA).

In tender documents seen by The Straits Times, NUS said it wants the 2FA system to also support software token, a programme that can be installed on smartphones or laptops to generate one-off passwords. The tender closes next Friday.

The security upgrade comes after a university Web server that hosted research papers was hacked, and 70 staff passwords were stolen and posted online in January.

When asked, some faculty staff lauded the move, saying it is timely amid heightened cyber threats.

Professor Lee Der Horng of the civil and environmental engineering department said: "Sensitive human resources, finance and procurement data must be secured by the hardware token used by banks today."

Others questioned the move and wondered what the threat might be. "Online teaching materials and e-mail are not high-value items unlike banking and credit card information," said NUS professor of economics and information systems Ivan Png.

A few NUS students also expressed doubts. Ms Chloe Lim, 25, said: "It will be a hassle to use tokens for such purposes."

Mr Woo Wen Xuan, 23, said the move was "a knee-jerk reaction" to the hacking incident. He added that two-factor protection would be more pertinent for staff than students.

Mr Chai Chin Loon, chief operating officer of Assurity Trusted Solutions, the issuer of OneKey, the national 2FA device, expects more tertiary institutions to roll out 2FA - for their staff at least.

Mr Thio Tse Gan, an executive director of enterprise risk services practice at Deloitte, said this two-factor system is not foolproof and must come with good security policies too.

"For instance, systems have to be tested regularly and sensitive data must be encrypted with access restricted to only a few."

This article was first published on August 23, 2014.
Get a copy of The Straits Times or go to for more stories.

More about

Purchase this article for republication.



Your daily good stuff - AsiaOne stories delivered straight to your inbox
By signing up, you agree to our Privacy policy and Terms and Conditions.