SingPass safety enhancements: Two-factor authentication demystified

The Infocomm Development Authority of Singapore (IDA) announced that it is adding new security features to protect SingPass users.  -- ST PHOTO: LIM YAOHUI
The Infocomm Development Authority of Singapore (IDA) announced that it is adding new security features to protect SingPass users.  -- ST PHOTO: LIM YAOHUI

SINGAPORE - On Thursday, the Infocomm Development Authority of Singapore (IDA) announced that it is adding new security features to protect SingPass users. This includes two-factor authentication for sensitive transactions.

What is two-factor authentication?

Also known as 2FA, it is a security process where a user provides two means of identification to log in to an account. Having just a password alone to guard an account is a single factor of authentication.

Adding on a second factor of authentication adds another layer of security on the account. Authentication typically falls into three categories: knowledge, possession, and biometrics. Knowledge refers to something only the user knows, such as a password; possession is something only the user has, such as a mobile phone, and inherence is something only the user is, such as a person's thumbprint. 2FA will therefore require the user to provide at least two authentication means out of these three categories.

Some examples:

2FA is not all that new. In fact, you may have been doing it for years without realising so.

Making transactions at the ATM, for instance, requires a two-step verification. The user will first need to have the ATM card (possession), and next, the pin number (knowledge).

Almost all Internet bank transactions require a user to have the pin number to the bank account, and a physical token or a mobile phone which generates a one-time password. For added security reasons, one-time passwords are only valid for a short period of a few minutes. After that, a user will have to request for a new one.

Most social networking sites and e-mail accounts now encourage users to link their accounts to their mobile phone numbers, which prompts a user for 2FA when the user signs in from a new device.

Sources: Monetary Authority of Singapore, Great Eastern, Maybank, Standard Chartered Bank