There’s a reason why I don’t log in to my CPF account much. Well, two reasons.
First, I can’t withdraw the money to use like with an ATM machine. Second, it’s troublesome to log in with my SingPass account and look for a token to key in a second pass code.
This two-factor authentication, or 2FA, is great in making things more secure but it’s also a little cumbersome. Some users opt for a pass code sent over SMS, which security experts now say isn’t as secure – it can be intercepted on a phone, as you’d imagine.
So, I was really happy to see the new biometrics-enabled SingPass Mobile app launched this week, which lets you log in more securely with your phone as the physical token.
Unlike before, you don’t need a separate token to carry around. Plus, the app is more secure than SMSes which can be easily read off a phone if an attacker manages to access it.
In other words, we have finally found a way that makes things more convenient yet more secure at the same time. Those two features are often at opposite ends of a spectrum but for once, they work together here.
In that sense, this SingPass Mobile app is a big step forward for Singapore’s smart nation ambitions. You can only be smart when you are able to log in to your online services and this app is a game changer that combines security and convenience.
In future, as users adopt a digital ID that they will use for everything from shopping at a retail store to paying taxes online, a system like SingPass that is central to everything has to be robust, secure and easy to use.
In other words, the new app is an important piece of the smart nation puzzle going beyond what we do today. Just like the original SingPass enabled a few hundred government e-services to be deployed in the 2000s, the new app means more transactions can be done securely in future.
Just to make sure it lives up to the hype, I downloaded the app on my Android phone today. It took mere seconds, as the GovTech developer team promised, to get started. Within minutes, I was logged in to my CPF account.
To get started, fire up the app and log in once to your SingPass account. This tells the app you are who you say you are. Then set up a pass code for the app. If your phone has a fingerprint sensor – most new ones have now – you can just tap your finger to log in.
When you use your phone to visit a government website that uses SingPass, you simply tap on a QR code icon on the screen and scan your fingerprint on your phone. No passwords needed.
To be honest, I am surprised at the speed and convenience. Coming just a few short years after an embarrassing SingPass breach in 2014, the improvements are commendable.
To be sure, the Singapore government isn’t the first to deploy such technology. The much-used Google Authenticator app now lets users log in to many online services in a similar way. The same for a Microsoft app that lets you get into your Office 365, Skype and other related services.
However, getting every citizen onboard with SingPass could be a tougher challenge for government agencies. The early intermittent glitches that were reported with SingPass Mobile, though they are fixed now, are testament to that.
At the same time, the government has to make sure those who are not savvy with technology are not left behind. This is especially so, when digital IDs become common and you only need a fingerprint or a face to verify your identity in future.
Indeed, there are already other mobile apps that make use of face recognition to verify who you say you are. So, instead of scanning a fingerprint, any phone with a camera can be used to sign in a user by scanning his face in future.
Will the adoption of such digital IDs mean that users will be more at risk of fraud in future? Should the recent hacking cases in the Singapore healthcare sector give us pause?
It’s inevitable that hackers will catch up to any new technology. Given the opportunity, they will threaten widespread fraud. A simple password may have been enough in the past but not today, when they are so easily stolen or exposed.
At the same time, all digital, connected data is fraught with risk. Unless we pull the cord now, which is impossible, there is no fail-safe way to stop someone from stealing personal data.
However, there is a way to manage this risk. That’s by adopting more secure and robust ways to access our personal data. A digital ID that is easy to use yet solidly secured is clearly the way forward.
To improve is always good and I love the app. It’s fast enough, and I do not have to worry about 2fa / sms.
But when it comes to “improving security”, I doubt that’s the case and would like to ask few questions if govtech is reachable
First and foremost, the “risk” is totally on the user (or smartphone) in such that a weak passcode/phrase is all it need to login to gov services. What happens if a phone is stolen /lost and the intruder managed to login to the device?
The qr scan just sends a uri redirect (e.g https://singpassmobile.sg/qrlogin?transactionid=SP-QRCODE-XXXXX etc) and user authenticates with stored data + authorizes (kinda) with biometric info.
Weakness here appears to be “passcode” of the phone and personally I feel the security is by no means improvement compared to 2fa-SMS and still inferior to 2fa-onekey (HW token).
P.S. With respect to TOTP / HOTP, I am inclined to Govtech developing their own instead of using google / Microsoft too. For the open standard claim, it’s not a standard but a proposal. Also SHA-1 was broken couple of years ago and if really the intruder is smart (proj aurora?) then once again it can be broken. Theoretically a lot of things can be done but security is about reducing risk to an acceptable level.
Hi Komatinen, thanks for pointing this out. Yes, the hardware token is safer, I’d agree. I also love the app – I’ve been using my fingerprint to log in instead of the passcode. On security, I believe GovTech responds to public feedback quite quickly. It’s worth a shot getting in touch with them. https://www.tech.gov.sg/Contact-Us
I get your point. But I mentioned Google authenticator to avoid going too technical.
What I really meant was to use TOTP.
TOTP and HOTP are open standards (https://tools.ietf.org/html/rfc6238), they do not depend from any vendor.
And, as you pointed out, Singapore government has surely the scale to develop one authenticator themselves in a very short time if needed. After all is a open and well documented standard.
My comment was aimed to understand if these TOTP have some vulnerabilites I am not aware of or it is simply a poor technical choice on their side.
I see also a number of banks going the same direction and I was wondering why.
That’s a good point, Mik. Yes, I agree with you here on open standards. It’s something I should ask GovTech when I have the chance.
Why not to use an authenticator such as Microsoft Authenticar or Google Authenticator?
What’s the idea here as a standard? If you need to log in into two dozens of websites you need to install, update and configure 24 apps?
Hi Mik,
You are right that Microsoft’s and Google’s authenticator apps are more commonly used. They are also used by other apps. Can the SingPass app have used these technologies? It’s possible, I think.
However, I also think that the Singapore government has enough scale – it has hundreds of e-services that can now be accessed through this app. By creating your own app, you also avoid relying on a third-party technology vendor, which means you cannot control the development of a fundamental piece of a smart nation puzzle.
I agree with you though, on the number of apps needed in future. Hopefully, we don’t need so many apps – like one for banking, shopping and paying taxes. One app for all government services is a way forward, I think. At least, I don’t need so many tokens now – just my phone.
This was what I wrote back in 2013:
https://www.techgoondu.com/2013/12/21/commentary-multiple-two-factor-tokens-are-a-drag-to-users/