Nearly six months after the high-profile breach of over 1,500 SingPass accounts, the Infocomm Development Authority (IDA) has shed light on its two-factor authentication (2FA) implementation plans to secure the login process for e-government services.
From the third quarter next year, SingPass users can opt-in to enter a one-time passcode generated by a hardware token or a SMS passcode sent to their mobile phones – in addition to their login credentials – before transacting with the government.
While SMS passcodes will be the primary 2FA method, some government agencies may require tokens to be used for more sensitive transactions, IDA told reporters today.
A one-year transition period will also kick in to ease SingPass users into the new login process before the authorities decide if 2FA should be made optional or mandatory.
In April, the government awarded a contract for a new SingPass system, which will let users use their own usernames instead of NRIC numbers to login to the system, though this will be an optional feature, IDA said.
SingPass users will also be kept aware of their e-government transactions through transaction notifications that are similar to what they receive from banks.
Meanwhile, IDA has made it mandatory for users to change their SingPass passwords every two years since October, in addition to current security measures such as resetting passwords of SingPass accounts with unusual activities that are not usually associated with those accounts.
It has also started resetting the passwords of 400,000 SingPass accounts that have been inactive for the past three years. The owners of these accounts will need to change their passwords within 14 days or the accounts will be deactivated.
In June, IDA revealed that 1,560 SingPass users had their accounts possibly tampered with, of which 419 had their passwords reset.
This came after the IDA was alerted by users who received letters informing them they had reset their passwords, when they had not. Three of the compromised accounts were reportedly used to make fraudulent work pass applications.
The authorities have not determined the cause of the breach, though they have said weak passwords and malicious software installed on affected users’ computers could be the culprits.
While the 2FA enhancement is a belated one – banks have been using 2FA to secure financial transactions for years – it should restore public confidence in the SingPass system that’s used by 3.3 million users to access 340 e-government services.