Timely move to reduce steps for SingPass OTP sign-up

More changes are coming for SingPass. Three months ago, the Infocomm Development Authority (IDA) rolled out a one-time password (OTP) feature to make it more secure for people to use SingPass in e-government transactions. It will also let users change to a new SingPass username for the first time.

However, signing up for the OTP feature is not a straightforward exercise.

I wrote a commentary last week likening it to being put through an obstacle course.

Following that, the authorities told me they were planning to reduce the number of steps involved to make it easier for the public to sign up.

The IDA's willingness to tweak something as massive as SingPass in the middle of its new system rollout is commendable.

But in a way, IDA has no choice. It needs to get all 3.3 million SingPass users on the OTP bandwagon by end-June next year. This is because an OTP will be mandatory for transactions involving sensitive data such as those managed by the Central Provident Fund (CPF) Board, Inland Revenue Authority of Singapore (Iras) and Manpower Ministry.

Heightened security resulted after more than 1,500 SingPass accounts were breached a year ago. Three of the accounts breached were used to make fraudulent applications for work passes.

Offering better security is one matter. But there will be a backlash if people cannot access their CPF or Iras accounts, or apply for work passes, come July next year when OTP becomes mandatory.

IDA has not revealed the number of people who have successfully signed up for OTP, but I've heard that the number is low.

It is not hard to understand why. After my commentary last week, several readers wrote in to relate their own painful encounters. For instance, one reader, Mr Lee Teck Chuan, wondered if he was "going the way of the dinosaurs" when signing up to use SingPass' OTP feature.

"The number of times that we must create and enter passwords on SingPass or Assurity's website, and link everything I created together still befuddles me," said Mr Lee. Assurity is an IDA subsidiary that supplies the OTP solution.

On The Straits Times Facebook page, netizens also lamented that there are too many steps.

But by end-December, the labyrinthine registration will be a thing of the past."

IDA will cut out the last of the three steps currently required.

The sign-up for OTP involves, first, updating one's mobile number or e-mail address on the SingPass website administered by IDA. Then users are taken to the website of Assurity to indicate if they wish to receive the OTP via SMS, or use a calculator-like token.

After that, it is a wait of up to five days to receive a PIN by snail mail.

The second step involves entering the mailed PIN on Assurity's website to activate the OTP feature selected earlier.

Most people would think they would be done with registration at this stage. But there is yet one more step - which most miss out - and that is to link the OTP feature to the existing SingPass account on SingPass' website.

Come December, the linking will be automated, removing the need for people to do so manually.

However, they will be asked to consent to SingPass sharing their account information with Assurity.

I'm sure most would agree to do so. After all, Assurity is part of the IDA.

This article was first published on September 30, 2015.
Get a copy of The Straits Times or go to straitstimes.com for more stories.