SingPass 2FA grace period to end Jan 15

GovTech urges users to take extra online security step for sensitive transactions

After Jan 15, SingPass users who have not signed up for two-factor authentication (2FA) will not be given a grace period to make sensitive e-government transactions.

Signing up for this extra security step was made mandatory in July, and government technology regulator, GovTech, had given users who had not signed up for the service a 30-day grace period upon their first login to SingPass.

During that period, they can continue transacting with government e-services without 2FA, but will be asked to register for one.

But since the majority of SingPass users - 2.3 million - are 2FA-ready, GovTech is ending this grace period to ensure all SingPass users are better protected with 2FA security.

Prior to 2FA, SingPass users needed only their username and a password to gain access. The 2FA system adds another layer of protection by creating random one-time passwords that users retrieve via SMS or a OneKey token.

Users who log in to SingPass before or on Jan 15 next year will still get the full 30-day grace period to complete their 2FA set-up. For example, someone logging in on Dec 30 will be given until Jan 29 to do so, while another user who logs in on Jan 15 will have until Feb 14.

  • How to sign up

    •Log in to your SingPass account on www.singpass.gov.sg

    •Click "Set Up 2-Step Verification (2FA)" under the Quick Links section.

    •Register for a way to receive your One-Time Passwords (OTPs). This can be done via SMS or a OneKey token.

    •Upon successful registration, a PIN mailer and token (if you select token) will be sent to your registered address within seven working days for activation for local users, or 10 days for overseas users.

    •Activate the 2FA feature by following the instructions in the PIN mailer.

    •Those who have verified a Singapore-registered mobile phone number with SingPass can SMS "Register" to 78008 (if in Singapore) or +65 8241-1666 (if overseas). This sets up 2FA where you receive OTPs by SMS only.

    Lester Hio

SingPass users without their 2FA will not be able to perform transactions involving sensitive data when logging in after Jan 15. Instead, they will be prompted to immediately register for 2FA before they can access such e-government services.

Local users will then have to wait for up to seven working days to receive a PIN mailer to activate this service, while overseas users will have to wait up to 10 days.

Mr Chan Cheow Hoe, GovTech's government chief information officer, said: "Having a majority of SingPass users on-board 2FA is a significant step towards improving personal online security and creating a safer cyberspace.

"For users who have not set up their SingPass 2FA, we strongly encourage them to do so to better protect their personal data."

Of the 3.3 million SingPass users, two million are regular users who use their SingPass to perform transactions on more than 100 e-government services online.

To protect against security breaches, users now need to have 2FA to perform sensitive transactions, such as with the Central Provident Fund Board, Inland Revenue Authority of Singapore, Ministry of Manpower and Accounting and Corporate Regulatory Authority.

2FA is not required for online transactions that do not involve sensitive data.

A version of this article appeared in the print edition of The Straits Times on December 10, 2016, with the headline 'SingPass 2FA grace period to end Jan 15'. Print Edition | Subscribe