IDA exploring new way to get one-time passwords

SingPass users may soon have another option to receive one-time passwords (OTP).

The Infocomm Development Authority (IDA), which administers SingPass, told The Straits Times that it is mulling over the use of smartphone apps, also known as soft tokens, which would be more convenient for users.

An OTP is an automatically generated password valid for only one login session or transaction.

The OTP is entered in government websites in addition to the SingPass password and NRIC number in a process called two- factor authentication (2FA).

The use of OTPs will be compulsory for sensitive e-government transactions from July 5.

OTPs are now delivered by SMS, or generated on calculator-like security tokens.

The Straits Times understands that IDA is in talks with its subsidiary Assurity Trusted Solutions to implement soft tokens, which is more convenient than carrying a hardware token.

"We will package the offerings of third-party soft token suppliers for potential clients in Singapore in five months," Mr Charles Fan, chief executive officer of Assurity, told The Straits Times.

The public can expect to start using soft tokens by year end if all goes well.

The soft token will come in handy for overseas Singaporeans as IDA does not allow OTPs to be sent via SMS to overseas mobile numbers.

Mr Fan said Assurity's soft token will come with security features so that the OTP is harder to steal when the mobile phone is infected with malware, making it more secure than SMS as an OTP channel.

Last December, the Association of Banks in Singapore warned about malicious programs that could let cyber criminals control Android phones, including OTPs received via SMS, for making fraudulent online transactions.

Security experts have warned about the use of SMS messages, which they say can be intercepted easily. For instance, cyber criminals can change the phone numbers associated with bank accounts so that the SMS OTP is delivered directly to the hacker rather than to the account holder.

Smartphones can also be infected easily with spyware that intercepts OTPs and forwards them to computer servers run by hackers.

Hardware tokens still safest, say experts

Security experts say hardware tokens are still the safest mechanism for generating one-time passwords (OTPs) for added security.

This is because they are unconnected, standalone devices, said Mr Vicky Ray, a threat intelligence analyst at network security firm Palo Alto Networks.

The OTPs generated by hardware tokens are not compromised even when computers and smartphones are infected by malware.

But software tokens are more convenient as they can be installed in users' smartphones, without requiring users to carry another device.

This makes them popular, especially with online service providers. For instance, Google's Authenticator software that generates OTPs to better secure users' access to its online services was rolled out some six years ago.

Software tokens' vulnerability depends on how they are designed, said a spokesman for anti-virus software firm Kaspersky Lab.

Some software tokens are designed with security to thwart hacking.

As new-generation smartphones come with fingerprint recognition, software tokens can embed the feature as a security measure, said Mr David Maciejak, head of security software firm Fortinet's FortiGuard Lion research and development team in Asia-Pacific.

But there is no silver bullet. "A software token can work effectively, and will, until the bad guys decide that the cost of attacking it is worth the effort," said Mr Nick Fitzgerald, who is security software maker ESET Asia-Pacific's senior research fellow.

Irene Tham

This article was first published on Feb 10, 2016.
Get a copy of The Straits Times or go to for more stories.