Breaking Down and Simplifying 2FA SingPass Login System

2fa singpass singapore

In July 2015, Singaporeans logging into SingPass suddenly faced a new issue: navigating the new two-factor authentication when logging in. All of a sudden, new login details were needed and more information was demanded every time we tried accessing our accounts.

For those keeping up with technological jargon, SingPass’ two-factor authentication, 2FA, login system is easily understood. For the rest of us, we may struggle to understand this system and simply find it frustrating and tedious. Here, we look at how 2FA or multi-factor authentication systems work.

Before diving into the technicalities of multi-factor authentications, we’ll begin with a brief look why SingPass implemented this 2FA system when logging in.

SingPass links every Singaporean or resident to more than 60 government agencies, allowing each user easy and convenient access to north of 200 e-government services. It is compulsory for all Singaporeans to create a SingPass account once they turn 15. Users can file taxes, access their retirement funds and apply for public housing using their SingPass accounts.

The need for tougher authentication was triggered by a high profile hacking in 2011 and 2014. At this point in time, SingPass only needed a username and password when logging in. However, a hacker managed to illegally access 293 SingPass accounts in 2011. He collected their personal information before selling them off to a syndicate producing fake visas applications to enter Singapore. In 2014, 1500 accounts were unlawfully accessed, highlighting the need to better protect sensitive data.

So how does 2FA address these concerns? At its most fundamental level, 2FA needs you to prove your identity twice before you can use your SingPass account.

The most common example of this is pairing our account username and password with a one-time password (OTP) when logging in. Our username and password are the first factor to authenticate. We then receive a one-time password (OTP) via SMS, and this is used to complete the login. The OTP is the second factor to authenticate.

Authentication systems work on one principle: confirming one’s identity by knowledge or possession factors. In simpler terms, this means using something only the correct person knows or has.

2FA systems use expands on this principle, requiring both factors to confirm one’s identity. While this might sound slightly abstract, these examples may help you better understand this principle.

An example of an authentication system is a door lock. Ideally, only the owner, or residents of the house have the key to unlock it. That key is something you have. Confirming a password for your Facebook or Google account is also an authentication, and the password is something only you know.

Singpass’ 2fa system simply puts these two factors together. Your SingPass username and password is something only you know. Your phone, where you receive the OTP, is your personal possession and only something you own. This doubles the difficulty for anyone trying to simultaneously guess your username, password and OTP, protecting your personal information on SingPass.

To conclude, SingPass had to update its security in response to multiple breaches. The simple username – password combination meant that huge amount of extremely sensitive data could be illegally accessed by hackers. The 2FA system doubles the security of one’s account, crucial for an account as important as SingPass.