Commentary

Two-factor security for SingPass: Two thumbs up

A person looking at the SingPass website.
A person looking at the SingPass website.PHOTO: ST FILE

I am glad that SingPass finally has a two-factor authentication system.

For years, I have had a little app on my smartphones called the BattleNet Mobile Authenticator, which offers additional security for all my online games from Blizzard.

The need for this extra protection was apparent a few years ago when World Of Warcraft was at its zenith, and Diablo III had an in-game auction where virtual loot could be sold for cash. Blizzard accounts were targeted because a successful entry meant that hackers could steal my virtual loot and characters and sell them for real money. I got hacked often enough to make additional security necessary.

Whenever I logged into Blizzard accounts, I had to key in an eight- digit number generated by the app.

World Of Warcraft has waned in popularity and Diablo III no longer has the real-money auction. But I continue to install this app on every new smartphone that I use.

The concept of two-factor authentication is quite simple. When you have just a password for security, your only protection is based on what you know, that is, your password. If someone can guess your password or use software to auto-generate passwords, he can break into your system. Two-factor authentication adds a second layer of protection. So, not only must you know something, you must also be in possession of something to unlock the second layer. This could be your mobile phone (as with the Blizzard app and SMS), a biometric print such as your fingerprint, or a security token.

Even these solutions are not safe enough. If your PC has been compromised by a virus or malicious software (malware), the malware often goes into stealth mode. It simply waits for you to complete your log-in process, then takes over your account. This is a problem, especially in Internet banking. Crooks can serve up a Web page identical to your bank's when they have taken over your account. This is a sophisticated hack called a "man-in-the-middle" attack.

It is why the new security tokens issued by banks here are so much more secure. They not only authenticate your entry into your account, but also every transaction, including the addition of a new payee and each bank transfer. The mini-calculator system generates a new code for every sensitive transaction and requires the user to press a few buttons on the token.

So if you often use your SingPass and have sensitive information to protect, opt for the national OneKey mini-calculator token (www.onekey.sg) instead of the more convenient SMS. I still hear the argument that SingPass was not breached, only that accounts were illegally accessed, and users are at fault for not securing their vaults with stronger passwords. This stand cannot hold water.

SingPass is not a website like www.cpf.gov.sg or a Web service like Gmail. SingPass is itself the official authentication system that secures entry into all e-citizen and government e-business websites and services.

The lock that secures the virtual gate has clearly been proven to be not strong enough.

I applaud the Infocomm Development Authority's move to launch the new two-factor authentication system. Perhaps it should have come sooner.

But better late than never.

A version of this article appeared in the print edition of The Straits Times on July 08, 2015, with the headline 'Two-factor security for SingPass: Two thumbs up'. Print Edition | Subscribe