Multi User 2fa Singpass
Chloe Sarnoff
Singapore has added face verification as a two-factor authentication (2FA) option to log into SingPass, an account used by residents to access e-government services. They can also choose to send their SMS one-time password (OTP) to another SingPass user's mobile number, which is offered to help less digitally savvy users navigate the platform with external assistance.
The two additional 2FA options were introduced as part of the government's efforts to support a digitally inclusive society, said Government Technology Agency of Singapore (GovTech) in a statement Wednesday. The government agency is responsible for the country's ICT and smart nation rollouts.
Stressing the need to safeguard key systems, Singapore will set up a panel comprising global experts to offer advice on operational technology (OT) cybersecurity and launches the country's cybersecurity blueprint that focuses on securing digital infrastructure and cyber activities.
SingPass users will be able to log into their account first by entering their ID and password, then by scanning their face on an internet-connected computer equipped with a webcam or a mobile device with a front-facing camera. If they do not have access to any of these systems, they can visit selected public locations equipped with the service, including IRAS Taxpayer and Business Service Centre and CPFB's Bishan Service Centre, with more locations to be added progressively.
GovTech said the face verification technology was integrated with security features to safeguard against fraud, such as liveness detection capabilities to detect and block the use of photographs, videos, or masks during the verification process.
The added option not only would be useful to support less digitally savvy users who would not need to key in additional information such as OTPs, but also could facilitate Singaporeans living abroad and might not have a locally-registered number to receive SMS OTPs, said National Digital Identity's senior director Kwok Quek Sin.
The need to better assist the less digitally savvy also led to the inclusion of "multi-user SMS OTP", where SingPass users can link their account to another user's mobile number, such as their child, to receive their OTPs.
The addition of the two 2FA options follows plans to discontinue the OneKey token by the end of March next year. Some 120,000 users of the physical 2FA device, introduced in 2013, are currently being transitioned to the other options, said GovTech.
Singapore's Immigration & Checkpoints Authority (ICA) in October said it has been rolling out iris and facial scanners since July at all automated and manual immigration points located at the passenger halls of Singapore's land, sea, and air checkpoints. These included Changi Airport Terminal 4, Tanah Merah Ferry Terminal, and the Tuas and Woodlands checkpoints that border Northern neighbour Malaysia.
Singapore in September inked a deal with British vendor iProov to provide face verification technology for use in the country's national digital identity system. The security feature was launched as a pilot earlier this year, allowing SingPass users to access e-government services via biometric.
iProov's Genuine Presence Assurance technology is touted to have the ability to determine if an individual's face is an actual person, and not a photograph, mask, or digital spoof, and authenticate that it is not a deepfake or injected video. Its agreement with the Singapore government also marked the first time the vendor's cloud facial verification technology was used to secure a country's national digital identity.
Violating the principle of least privileges increases the risk of unauthorised access, privilege escalation, and potential security breaches due to unnecessary permissions, compromising the overall security posture.
Ensure that the authentication factors are different and independent of the accessing device. For additional security, consider MFA for privileged actions at the application level (such as step-up MFA challenges via PIM tools).
Without requiring phishing-resistant Multi-Factor Authentication (MFA) for remote access, there is an increased risk of unauthorised access, credential theft, and potential compromise of sensitive systems, especially for users with elevated privileges.
Use automated checks to identify accounts and credentials that should be disabled. For privileged user accounts in applications, consider using automated workflows such as System for Cross-domain Identity Management (SCIM) or identity lifecycle management tools. For cloud service provider accounts, use tools such as AWS Config iam-user-unused-credentials-check to manage Identity and Access Management (IAM) users.
Failure to disable or remove unused accounts or credentials with elevated access increases the risk of unauthorised access, as dormant accounts may become targets for exploitation, compromising the security of the system.
For privileged user accounts in applications, implement automated review workflows or reports. For cloud service provider accounts and roles, use tools such as AWS IAM Access Advisor or Azure AD Access Review to facilitate and manage access reviews.
Without regular access reviews and prompt removal of unauthorised or unintended access rights, there is an increased risk of lingering access, potential misuse of privileges, and compromised security, impacting the confidentiality and integrity of sensitive data.
Use Endpoint Management platfoms to continuously check and enforce device security posture and deny access if the hardening requirements are not met. Hardened devices include Government Standard Image Build (GSIB) and Security Suite for Engineering Endpoint Devices (SEED).
Identify any default credentials used in any system components before deploying and change them. Configure end-user systems to prompt for password change on first login after account creation or reset.
Failure to change default credentials prior to first use increases the risk of unauthorised access, as default credentials are often well-known and targeted by attackers, compromising the security of the system or device.
For high impact or high risk transactions, use SingPass/CorpPass to identify external users (e.g. citizens). Internal users should use Government managed Single Sign-on (SSO) solutions (such as WOG AAD).
Adopt Single Sign-On (SSO) with just-in-time provisioning or account lifecycle management tools (such as SCIM or CAM) to assist with account management. For systems unable to use SSO, it is recommended to leverage account management lifecycle tools with HR records (such as CAM) to automatically provision and de-provision accounts.
Mobile Device Management (MDM) platforms enable management, monitoring, and secure configuration of endpoint devices. This includes enforcing disk encryption, managing configuration, ensuring regular updates, and providing the ability to remotely wipe data in case of device loss or theft.
Use solutions such as Secure Service Edge (SSE), Identity Aware Proxies (IAP) or other Zero Trust services (Entra ID Conditional Access, Okta Device Trust, etc) that integrate identity and device management systems to provide granular access control to resources based on user identity and device posture. For example, Security Suite for Engineering Endpoint Devices (SEED).
Relying on direct connections or traditional VPNs for remote access can lead to vulnerabilities, as they do not always incorporate strong identity and device-based security measures. This increases the risk of unauthorized access and potential data breaches.
Implement measures such as user authentication and endpoint management with device enrollment to enforce the single primary user per endpoint. If secondary accounts for local device support or maintenance activities consider securing with endpoint privilege management tools.
Configure multi-factor authentication (MFA) at the Single-Sign On (SSO) identity provider (IdP) and ensure that access to the system is only granted after the IdP authenticates the user. WOG AAD is recommended for public officers and TechPass AAD for developers.
Without Single Sign-On (SSO), there is an increased risk of unauthorized access and compromised user credentials, as users may resort to using weak passwords or reusing credentials across multiple systems, thereby exposing sensitive information to potential security breaches.
2) Offering more services: Singpass maintains a high level of service availability, by working with an entire ecosystem of relying parties and data providers to interoperate seamlessly. Other than using Singpass for transacting with government services, users can also enjoy greater convenience and accessibility to digital services in the private sector.
1) Application modernization: Transforming the Singpass system through incremental modernization of its backend into modular cloud-native services. This made it easier to offer users a frictionless, secure multi-channel experience together with more use cases such as digital signing and facial recognition. Also, introducing an API platform enabled more organizations to easily integrate innovative services into Singpass.
2) Cloud migration: Building a modern, cloud-native delivery platform vastly improved critical service availability and reliability for end users. It also increased delivery speed, stability and innovation for application development teams. This was one of GovTech's first cloud-native suite of services, helping reach closer to its overall cloud migration goal.
Singpass is one of the world's leading NDI platforms, used by more than 5 million Singapore residents. Transactions that previously took days or hours to complete, often requiring physical visits, now take minutes and can be performed from anywhere with an internet connection.
Singpass now offers seamless access to more than 2,000 services from 700 organizations. It supports more than 500 million completed personal and corporate transactions every year. Its evolution as a trusted all-in-one services app is ongoing.
c80f0f1006