The unauthorised access and abuse of sensitive information and fraudulent transactions can have adverse consequences on individuals’ lives, companies’ reputations, public confidence, and Singapore’s standing as a trusted financial hub. The NAF aims to establish a nationwide strong authentication infrastructure to safeguard against unauthorised access to sensitive information online.
GovTech* has been working closely with regulators of key sectors (e.g. banking and finance, government and healthcare) to coordinate their demands and align their requirements for strong authentication. Examples of demand for strong authentication could include those from financial institutions for their online banking and online securities trading services, government online services, and healthcare sector.
Demand for strong authentication could include those from online banking and online securities trading services of financial institutions, government online services, and healthcare sector.
What is Authentication?
Authentication is the process of validating a person's identity to assure “He is who he says he is”. This is to reduce the risk of identity fraud. There are three recognised factors of authenticating an individual.
"Something you know", such as a password or PIN.
"Something you have", such as hardware security token.
"Something you are", such as finger print, a retina scan and others.
A system is said to use strong authentication when it requires at least two of the three factors before access to the system is permitted. This contrasts with traditional single-factor authentication which requires only one authentication factor (usually a password) in order to gain access or permit transaction.
The first factor, “Something you know”, is typically provided by service providers (SPs) when a user logs into the SPs’ websites.
Assurity assures “He is who he says he is” by authenticating a user with “Something you own”, the second factor.
Over time, when the need arises, Assurity will move onto the third factor “Something you are”.
What is 2nd Factor Authentication (2FA)?
A 2nd Factor Authentication or 2FA is the verification of a user and authenticating that "He is who he says he is" with a unique and randomly generated password from a device that he owns that is linked to his SP.
The current practice used in retail banking is the One-Time Password or OTP. When a user accesses an online service, in addition to User-ID and Password, the user would be required to enter an additional “second-factor password”, which is generated on demand. The dynamically-generated “second-factor password” could be delivered through a device, token (hardware or software) or via SMS. Other types of authentication methods include certificates and/or biometrics.
Today, service providers are deploying their own 2FA infrastructure. As a result, an authentication token or device tends to be proprietary and can only be used to access specific online services and a consumer ends up with multiple 2FA tokens or devices.
Assurity aims to enable consumers to access multiple online services with their various service providers requiring 2FA, with a single device.
*IDA has been restructured to form GovTech on 1 October 2016. SingPass is now managed by GovTech.