Singpass introduces passkeys for more secure login; only for iPhone users starting July 1

Singpass has launched a new passkey login to strengthen security for residents and reduce the risk of scams such as phishing, said the Government Technology Agency (GovTech) today (June 30).

This new login method for Singpass will be available from July 1, with the initial beta phase available to iPhone (iOS) users only. It will be extended to Android users in subsequent phases.

The new login system strengthens defences against emerging cyber threats without compromising a seamless digital experience, while offering strong resistance to phishing attacks, said the agency in a media statement.

Lee Shih Yen, deputy chief executive (development) of the Cyber Security Agency of Singapore, said: "Stronger phishing-resistant authentication methods such as passkeys can significantly reduce the risk of attackers exploiting stolen login credentials, while offering users a simpler and more seamless login experience."

Passkeys, said GovTech, offer a more secure authentication method than passwords, which can be stolen, and conventional QR codes, which scammers can mislead users into scanning. 

Authentication via passkeys would also prevent unauthorised access through such methods.

Device-bound

These Singpass passkeys, said the agency, are device-bound and since no login credentials like passwords or One-Time-Password (OTPs) are entered, the risk of credential theft is also significantly reduced.

They cannot be authenticated on fake websites, and only work on real government websites and official private sector services integrated with Singpass, protecting users against phishing scams.

Singpass has also introduced an additional layer of protection for its users by ensuring that their passkeys never leave the device, unlike passkeys on platforms like Google and Microsoft that are stored on the cloud.

Winston Teo, senior director of Singpass at GovTech Singapore, said Singpass is "constantly evolving" its security to ensure that the platform "remains safe and secure".

"GovTech Singapore is committed to making Singpass a trusted, well-designed national digital identity that is secure, inclusive, and provides users peace of mind during transactions," he added.

No password, no OTP

Passkeys use a public-private key cryptography to verify that a login is taking place with a legitimate service.

The private key will be stored securely on the user's device, protected by their biometrics — e.g. fingerprint or face recognition — or app passcode. The corresponding public key will be registered with Singpass. 

"Think of a passkey as two halves of one special key, made just for your Singpass account," said a GovTech spokesperson. 

"Your phone keeps one half; Singpass keeps the other. Only when they fit together perfectly does the key work. Your half never leaves your phone and the Singpass half does nothing on its own. There's no password or OTP to type, so there's nothing a scammer can trick out of you."

Initial Rollout

GovTech shared that the new login method will be rolled out progressively, with the initial beta rollout for iPhone (iOS) users logging in via mobile browsers beginning at 10am on July 1. Android users will be able to access this feature in later phases.

All users will be notified through their Singpass app when the passkeys feature is available to them.

“Passkey logins on separate desktop browsers, which use Bluetooth proximity checks for cross-device authentication, will be made available in later phases,” said GovTech.

The agency added that users may still login via existing methods including QR login, Face Verification, and SMS OTP.

Nevertheless, the agency strongly encouraged users "to adopt passkeys as they provide an additional security layer against phishing scams and increasingly sophisticated cyber threats".

User support, especially for seniors

To support user adoption of passkeys, GovTech will also be expanding its assistance channels. 

Users who need help can contact the Singpass Helpdesk or visit a ServiceSG or Singpass counter located in Community Centres or Clubs across Singapore.

Some users, such as seniors, may require additional support when adopting this new login method. 

As such, GovTech said that it will also work with partners like the People’s Association and the Infocomm Media Development Authority to support outreach and provide assistance to users who require additional help.

Singpass added that it welcomes feedback via the contact form on the Singpass website or within the Singpass app settings, as part of ongoing efforts to enhance the Singpass service.

[[nid:737749]]

[email protected]