Face Verification And Multi-user SMS 2FA Options Added To SingPass – Expert Reaction

It has been reported that Singapore has added face verification as a two-factor authentication (2FA) option to log into SingPass, an account residents use to access e-government services. They also can choose to send their SMS one-time password (OTP) to another SingPass user’s mobile number, which is offered to help less digitally savvy users navigate the platform with external assistance. The two additional 2FA options were introduced as part of the government’s efforts to support a digitally inclusive society, said Government Technology Agency of Singapore (GovTech) in a statement Wednesday. 

The full story can be found here: https://www.zdnet.com/article/singapore-adds-face-verification-multi-user-sms-to-singpass-2fa/

Experts Comments

December 17, 2020
Stuart Sharp
VP of Solution Engineering
OneLogin
GovTech can be applauded for recognising that once size does not fit all when it comes to security, particularly with the introduction of multi-user SMS. Even though SMS OTP is vulnerable to SIM take-over and phishing-based attacks, introducing it as a second authentication factor greatly reduces the overall likelihood of attacks being successful. Face verification technology is certainly a stronger form of 2FA than SMS, but GovTech’s implementation of a government-owned centralised.....Read More
GovTech can be applauded for recognising that once size does not fit all when it comes to security, particularly with the introduction of multi-user SMS. Even though SMS OTP is vulnerable to SIM take-over and phishing-based attacks, introducing it as a second authentication factor greatly reduces the overall likelihood of attacks being successful. Face verification technology is certainly a stronger form of 2FA than SMS, but GovTech’s implementation of a government-owned centralised database of biometric information makes it a prime target for criminals who focus on compromising data stores that contain sensitive data for millions of users. A better approach would have been to rely on device-based biometrics that are already ubiquitous on smartphones, laptops and tablets. Biometric information would only be stored on the user’s personal device, with no central data store for hackers to target, and can leverage modern authentication standards like WebAuthn which have built-in protection against phishing attacks.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts