There’s a reason why I don’t log in to my CPF account much. Well, two reasons.
First, I can’t withdraw the money to use like with an ATM machine. Second, it’s troublesome to log in with my SingPass account and look for a token to key in a second pass code.
This two-factor authentication, or 2FA, is great in making things more secure but it’s also a little cumbersome. Some users opt for a pass code sent over SMS, which security experts now say isn’t as secure – it can be intercepted on a phone, as you’d imagine.
So, I was really happy to see the new biometrics-enabled SingPass Mobile app launched this week, which lets you log in more securely with your phone as the physical token.
Unlike before, you don’t need a separate token to carry around. Plus, the app is more secure than SMSes which can be easily read off a phone if an attacker manages to access it.
In other words, we have finally found a way that makes things more convenient yet more secure at the same time. Those two features are often at opposite ends of a spectrum but for once, they work together here.
In that sense, this SingPass Mobile app is a big step forward for Singapore’s smart nation ambitions. You can only be smart when you are able to log in to your online services and this app is a game changer that combines security and convenience.
In future, as users adopt a digital ID that they will use for everything from shopping at a retail store to paying taxes online, a system like SingPass that is central to everything has to be robust, secure and easy to use.
In other words, the new app is an important piece of the smart nation puzzle going beyond what we do today. Just like the original SingPass enabled a few hundred government e-services to be deployed in the 2000s, the new app means more transactions can be done securely in future.
Just to make sure it lives up to the hype, I downloaded the app on my Android phone today. It took mere seconds, as the GovTech developer team promised, to get started. Within minutes, I was logged in to my CPF account.
To get started, fire up the app and log in once to your SingPass account. This tells the app you are who you say you are. Then set up a pass code for the app. If your phone has a fingerprint sensor – most new ones have now – you can just tap your finger to log in.
When you use your phone to visit a government website that uses SingPass, you simply tap on a QR code icon on the screen and scan your fingerprint on your phone. No passwords needed.
To be honest, I am surprised at the speed and convenience. Coming just a few short years after an embarrassing SingPass breach in 2014, the improvements are commendable.
To be sure, the Singapore government isn’t the first to deploy such technology. The much-used Google Authenticator app now lets users log in to many online services in a similar way. The same for a Microsoft app that lets you get into your Office 365, Skype and other related services.
However, getting every citizen onboard with SingPass could be a tougher challenge for government agencies. The early intermittent glitches that were reported with SingPass Mobile, though they are fixed now, are testament to that.
At the same time, the government has to make sure those who are not savvy with technology are not left behind. This is especially so, when digital IDs become common and you only need a fingerprint or a face to verify your identity in future.
Indeed, there are already other mobile apps that make use of face recognition to verify who you say you are. So, instead of scanning a fingerprint, any phone with a camera can be used to sign in a user by scanning his face in future.
It’s inevitable that hackers will catch up to any new technology. Given the opportunity, they will threaten widespread fraud. A simple password may have been enough in the past but not today, when they are so easily stolen or exposed.
At the same time, all digital, connected data is fraught with risk. Unless we pull the cord now, which is impossible, there is no fail-safe way to stop someone from stealing personal data.
However, there is a way to manage this risk. That’s by adopting more secure and robust ways to access our personal data. A digital ID that is easy to use yet solidly secured is clearly the way forward.