People who do not own mobile phones, especially the elderly, will soon be able to access government e-services via a family member's phone.
SingPass, the national authentication system that governs access to government digital services of more than 60 agencies, will be updated to allow an account holder to tag family members to his mobile number to receive the one-time password (OTP) via SMS.
SingPass will also be upgraded to allow users' faces to be scanned for verification purposes, even if they do not have a mobile phone. They would be able to do so via a computer with a camera, or using a family member's smartphone.
"We recognise that there are users who do not have mobile phones, or require more assistance from their family members to transact with the Government," said Mr Kwok Quek Sin, GovTech's senior director of national digital identity, in a Straits Times Forum letter published yesterday.
He was replying to Forum letters from readers published on July 3 and April 10, which expressed concern over the phasing out of the physical security token OneKey for generating OTPs.
From Oct 1, these tokens will no longer be issued or replaced when, say, for example, the batteries are dead.
And from April 1 next year, users will no longer be able to use OneKey tokens to access their Central Provident Fund accounts or pay parking fines.
One of the readers, Ms Lim Pei Pei, said that her elderly mother needs the token to access government e-services as she does not have her own mobile phone.
Mr Kwok said: "We are committed to ensure SingPass is inclusive, convenient and easy to use for citizens."
GovTech said that more information about the new SingPass features will be announced later this year.
The OneKey tokens are being phased out because of low usage.
Specifically, only 2 per cent of all logins use the token. More than 98 per cent of all SingPass logins are now done by scanning one's fingerprint or face on the SingPass Mobile app, or via SMS authentication.
While IT security experts welcome the upgrades, they point out that the move could also open the door to a number of risks.
Mr Lim Yihao, principal analyst of Mandiant Threat Intelligence at cyber-security firm FireEye, said the mobile number solution assumes that all users are on good terms with their family members, or even have a nuclear family.
"If the senior citizen is on bad terms with his family, tagging his SingPass to their phone might impede his access to SingPass services even more," he said.
"If the senior citizen has no family, his account might be tagged to (the phone of) a friend or relative, who could potentially misuse his accounts for malicious purposes," he added.
Mr Yeo Siang Tiong, general manager of South-east Asia at cyber-security firm Kaspersky, said that it is also easy for people to sneak a look at the OTP if lock-screen notifications are enabled, potentially compromising all the accounts linked to the number.
Mr Bryan Tan, a lawyer from Pinsent Masons MPillay who specialises in technology law and data protection, said that risk mitigation steps must be considered for this to work, such as having transaction notifications sent to multiple parties in the case of an elderly user who has multiple children.
Other ideas involve having algorithms pick up anomalies, such as the account suddenly being accessed at odd hours, which is a departure from existing patterns, or a deluge of transactions immediately after being linked to a mobile number .
Despite the risks, Madam Julie Lim, 50, said she is looking forward to having the option of linking her mobile phone number to her 79-year-old father's SingPass account. He does not own a phone and he prefers to go to government offices in person to access services.
She said: "This would be a good option as he gets older and has a harder time walking. Also, in a pandemic, he really should stay at home."
