IDA exploring new way to get one-time passwords

The Infocomm Development Authority (IDA) is mulling over the use of smartphone apps, also known as soft tokens, which would be more convenient for users.
The Infocomm Development Authority (IDA) is mulling over the use of smartphone apps, also known as soft tokens, which would be more convenient for users.ST PHOTO: LIM YAOHUI

It is in talks to deliver OTPs via 'soft tokens' to make e-govt transactions more convenient

SingPass users may soon have another option to receive one-time passwords (OTP).

The Infocomm Development Authority (IDA), which administers SingPass, told The Straits Times that it is mulling over the use of smartphone apps, also known as soft tokens, which would be more convenient for users.

An OTP is an automatically generated password valid for only one login session or transaction.

 

The OTP is entered in government websites in addition to the SingPass password and NRIC number in a process called two- factor authentication (2FA).

The use of OTPs will be compulsory for sensitive e-government transactions from July 5.

OTPs are now delivered by SMS, or generated on calculator-like security tokens.

The soft token will come in handy for overseas Singaporeans as IDA does not allow OTPs to be sent via SMS to overseas mobile numbers.

The Straits Times understands that IDA is in talks with its subsidiary Assurity Trusted Solutions to implement soft tokens, which is more convenient than carrying a hardware token.

"We will package the offerings of third-party soft token suppliers for potential clients in Singapore in five months," Mr Charles Fan, chief executive officer of Assurity, told The Straits Times.

The public can expect to start using soft tokens by year end if all goes well.

The soft token will come in handy for overseas Singaporeans as IDA does not allow OTPs to be sent via SMS to overseas mobile numbers.

Mr Fan said Assurity's soft token will come with security features so that the OTP is harder to steal when the mobile phone is infected with malware, making it more secure than SMS as an OTP channel.

Last December, the Association of Banks in Singapore warned about malicious programs that could let cyber criminals control Android phones, including OTPs received via SMS, for making fraudulent online transactions.

Security experts have warned about the use of SMS messages, which they say can be intercepted easily. For instance, cyber criminals can change the phone numbers associated with bank accounts so that the SMS OTP is delivered directly to the hacker rather than to the account holder.

Smartphones can also be infected easily with spyware that intercepts OTPs and forwards them to computer servers run by hackers.

A version of this article appeared in the print edition of The Straits Times on February 10, 2016, with the headline 'IDA exploring new way to get one-time passwords'. Print Edition | Subscribe