It has been reported that Singapore has added face verification as a two-factor authentication (2FA) option to log into SingPass, an account residents use to access e-government services. They also can choose to send their SMS one-time password (OTP) to another SingPass user’s mobile number, which is offered to help less digitally savvy users navigate the platform with external assistance. The two additional 2FA options were introduced as part of the government’s efforts to support a digitally inclusive society, said Government Technology Agency of Singapore (GovTech) in a statement Wednesday.
The full story can be found here: https://www.zdnet.com/article/singapore-adds-face-verification-multi-user-sms-to-singpass-2fa/
GovTech can be applauded for recognising that once size does not fit all when it comes to security, particularly with the introduction of multi-user SMS. Even though SMS OTP is vulnerable to SIM take-over and phishing-based attacks, introducing it as a second authentication factor greatly reduces the overall likelihood of attacks being successful. Face verification technology is certainly a stronger form of 2FA than SMS, but GovTech’s implementation of a government-owned centralised database of biometric information makes it a prime target for criminals who focus on compromising data stores that contain sensitive data for millions of users. A better approach would have been to rely on device-based biometrics that are already ubiquitous on smartphones, laptops and tablets. Biometric information would only be stored on the user’s personal device, with no central data store for hackers to target, and can leverage modern authentication standards like WebAuthn which have built-in protection against phishing attacks.