Singapore users filing income tax and checking their retirement accounts online can log in with a more secure two-step process from July 5, as the government finally tightens up e-services following an embarrassing security breach last year.
The new SingPass system promises to let users log in like they would for online banking transactions, through what is known as two-factor authentication or 2FA.
Besides a username and a password, they would be asked to key in a second pass code sent over SMS to their phones, or through an OneKey token issued for free to Singaporeans and permanent residents.
More than 100 e-services, deemed by government agencies to involve sensitive information, will require users to take the extra step to secure the login process.
Last year, more than 1,500 SingPass accounts were compromised in a high-profile incident that highlighted the vulnerabilities of the ageing system launched in 2003. A hacker had got in via three of the accounts to apply for work permits.
For years, industry experts had advised the government to beef up security for e-services. The revamp now brings the security up to speed with what users are already used to with many online services such as e-mail and e-banking.
For example, when their passwords are changed, SingPass users will get an e-mail notification. At the same time, they would be able to change their usernames, which were previously tied to their IC numbers and easily guessed by a hacker.
Here’s a guide to what you should look out for come July 5.
1. Be more secure online
When you log in to an e-government service via your SingPass account, you will be told to provide and verify your contact details. You’ll also have to set up your security questions, just like when you sign up for an e-mail account, for example.
Additionally, for 2FA, you have to choose to receive your additional pass code via SMS or through the OneKey token. If you opt for the more secure Onekey token, you’d get it within five working days.
If you already have a OneKey token, say, to log in to trade with a securities firm, you can use that same token. Just link it to your SingPass account online.
2. You don’t have to rush
The new system is available from July 5, but you don’t have to rush to reset your new account. You can still do so when you next log in. You have up to a year to sign in to the new system.
What if you have to make an urgent transaction, like to bid for a government tender over Gebiz?
You are advised to head down to get your OneKey token over the counter from Assurity, the company issuing it. Or use the one-year grace period – until July 4, 2016 – to get things done the old way, though that’s less secure.
3. Get used to the new interface
Another long overdue feature is a mobile-friendly interface on the SingPass site. The revamped website will be resized to fit the screen of your phone or tablet so it’s easier to log in on the go.
At the same time, the Infocomm Development Authority (IDA) said the authorities have in place data analytics that could suss out attempts to log in illegally.
Sounds good! 🙂
Yes it’s about time, too!