The deadline to sign up for SingPass' new two-factor authentication (2FA) came and went yesterday, but access to sensitive e-government transactions was not disrupted.
This is because the Infocomm Development Authority (IDA), which administers SingPass, has adopted a more graduated approach to the process that saw just half the number of potential users sign up when the deadline passed.
Those who have not signed up will be given more time.
Based on the original deadline, all 3.3 million SingPass account holders should have activated 2FA by yesterday.
Otherwise, they would not have been able to transact with the Central Provident Fund Board, Inland Revenue Authority of Singapore, Ministry of Manpower and Accounting and Corporate Regulatory Authority (Acra).
But now, once those who have not signed up log in, they will have one month to register and activate their SingPass 2FA.
How to register
Over the last three months, the Infocomm Development Authority (IDA), which administers SingPass, has been sending letters containing a PIN code to Singapore residents to help them enrol.
The PIN must be entered together with their NRIC number on the website of IDA's subsidiary Assurity Trusted Solutions, which supplies the 2FA system.
Those with Singapore mobile numbers registered on the SingPass website can also activate their 2FA via SMS.
These are the steps to follow:
• Send an SMS to 78111 with the message: ACT(space)SMS (space) NRIC (space) PIN in mailer. This will activate SMS as the medium for receiving the OTP.
• To activate the calculator-like token called OneKey issued by Assurity, the message is: ACT (space) Token (space) NRIC (space) PIN in mailer (space) OTP generated from the token.
• To activate both, the message is: ACT (space) Both (space)NRIC (space) PIN in mailer (space) OTP generated from the token.
Overseas Singaporeans must have their overseas addresses registered with the Immigration and Checkpoints Authority for them to get their PIN letter and token.
They must then enter the PIN and NRIC number on Assurity's website to activate the 2FA feature. They can only select the token as the OTP cannot be sent to a foreign mobile number.
If unsure, overseas Singaporeans can e-mail email@example.com for help.
This means the one-month extended deadline will be different for different users.
"This one-time grace period helps to minimise disruption and provides flexibility to different users who have not set up their 2FA and need to perform urgent e-transactions," said Mr Chan Cheow Hoe, IDA's assistant chief executive.
So far, about half of all SingPass users - or 1.6 million of them - have signed up for 2FA. Those who have 2FA are among the two million active SingPass users.
"While the majority of regular SingPass users are 2FA-ready, we recognise that the remaining 400,000 regular users may need more time to set up their 2FA," said Mr Chan.
The 2FA feature was launched last July to counter security breaches. It uses a randomly generated one-time password (OTP) delivered via SMS or a OneKey token that looks like a mini-calculator.
The OTP must be entered together with the usual SingPass requirements of a password and NRIC number for accessing e-government services.
The sign-up process involves users updating their particulars on the SingPass website and then selecting either SMS or token as the medium for receiving the OTP.
The IDA said the deadline will not be extended forever due to security concerns. It will monitor the sign-up rate of the remaining 400,000 regular SingPass users before deciding when to remove the deadline extension.
"The security of user accounts remains our priority," Mr Chan said. "A range of mitigating measures, such as fraud analytics tools, have also been deployed to ensure the security of SingPass accounts for users who are in the process of setting up their 2FA."