Digital Identity Spotlight: Singapore

If you want a telling glimpse at why Singapore ranks among the world’s leaders in digital identity, look no further than this summer’s British invasion. No, this former colony and small southeast Asian city-state-turned-financial-powerhouse isn’t fending off intruding forces. It’s fighting for Coldplay tickets.

With six sold-out shows and online ticket queues topping more than a million for concerts that won’t be performed until January, Singaporeans are calling for more to be done to limit the number of foreigners buying up or scalping tickets for a can’t-miss concert from the chart-topping English band. Among the suggested remedies from online masses jones-ing to experience “A Sky Full of Stars” or “Viva La Vida” live and in person: Calls to use the nation’s Singpass digital identity app to purchase tickets, thereby reducing or eliminating the number of foreign fans that can attend the concerts.

Singpass (aka Singapore Personal Access) is a digital identity that Singaporean residents use to access government and private sector services online and via mobile app with the same level of trust as a face-to-face transaction. It’s also the centerpiece of Singapore’s National Digital Identity program, part of this island-state’s ambitious Smart Nation initiative to fuel digital economy inclusion and growth. With 97% penetration among this tiny island nation’s roughly 5.6 million citizens, Singpass facilitates more than 350 million transactions annually.

The program is considered so successful that countries such as South Korea and Japan seek guidance and collaboration from Singapore in forging citizen identity architectures for verifying, managing, and securing identity. Like programs in Belgium and elsewhere worldwide, digital identity programs are proving vital as the digital world continues to transform every aspect of daily life while fostering a growing number of costly threats.

Digital Identity: Proof or Consequences

Identity verification and proofing have long played an essential role in functioning societies, enabling individuals to prove their identity in person to make purchases, manage finances, receive entitlements and services, and more. But verifying identity in digital channels through authentication based on the usernames and passwords that emerged to protect online accounts have been a goldmine for cybercriminals.

The problem: Organized crime syndicates and state-sponsored threat actors continue to find alarmingly effective ways to crack or pilfer users’ login credentials. A never-ending stream of phishing and spyware attacks harvest credentials en masse, leading to corporate data breaches that have made over 24 billion recently-compromised login credentials and personal identity files accessible to cyber-attackers via underworld websites.

Thieves and malign forces leverage automated technologies to exploit these logins in credential-stuffing attacks that can test more than 22 trillion password-and-username combinations in less than 22 seconds. Once they’ve successfully pirated an account, these cyber-bandits can drain bank funds, steal personal identity information or corporate data to sell online or impersonate account owners to defraud businesses and governments. The price tag: More than US$8 trillion in global losses expected just this year. That’s more than US$20 billion every single day.

Despite being ahead of the curve, Singapore isn’t completely immune to this scourge. An estimated 47.9 million phishing attacks targeting remote workers struck the country in just the first half of last year. Smishing schemes targeting customers of OCBC Bank resulted in losses of more than US$6.4 million—forcing regulators to ban bank emails and text messages. And this March, news hit that hackers had stolen thousands of logins from major tech and Fortune 500 companies after breaching a data center in Singapore and another in Shanghai.

It’s no small matter. Fast, seamless transactions are crucial to the digital economy. So is security. And that requires a universally-accepted form of identity that protects privacy and prevents hackers from stealing and exploiting personal information. As Congressional Leaders in the U.S. weigh the Improving Digital Identity Act passed by the House in April, officials here and elsewhere could benefit from studying Singapore’s progress.

Singapore: A ‘Smart City’ on Digital’s Cutting Edge

Made up of 63 islands and known for sleek, modern architecture, clean streets, a multicultural vibe, and bustling financial and business sectors, the Republic of Singapore is one of the “Four Asian Tigers.” It has also been dubbed “the smartest city in the world”—and it’s easy to see why. The city-state’s Smart Nation approach includes a National Digital Identity (NDI) initiative that is uniquely focused on nurturing digital innovation, infrastructure, and inclusion to enhance citizens’ lives and address their ever-changing needs.

Singapore does have some built-in advantages in this effort. As ThalesGroup.com reports, the populace is educated and tech-savvy. Data from public transport fare cards and in-vehicle sensors is analyzed to continuously improve transport systems. Contactless payments are widely adopted.

Healthcare is entirely digitized and leverages AI chatbots and IoT sensors to guide residents in healing, recovery, and healthy living. And the Singpass app provides a one-stop platform that simplifies establishing identity, registering a birth, paying taxes, renewing passports, accessing government and private sector services, and more.

While the NDI program was first launched 20 years ago, Singpass was first introduced as a web app in 2018 and as a cryptography-based smartphone app in 2021. Citizens 15 and up can enroll, and only three percent of eligible people have yet to do so.

Once enrolled, citizens can register for Singpass, which allows them to use single sign-on to log into accounts, share information, conduct transactions, and sign documents. Two-factor authentication, such as a fingerprint biometric or pin code on the user’s device, is offered to provide an added layer of security, reducing the risk of identity theft and fraud.

Building an Ecosystem of Trust

In Singapore and elsewhere, digital identity is generally comprised of validated digital attributes and credentials designed for the digital world that are verified by cross-referenced government-issued physical world credentials. Think birth certificate, driver’s license, passport, etc. In this case, Singpass is underpinned by the country’s national registration identity card (NRIC).

One of the primary benefits of Singapore’s Singpass is convenience. Citizens don’t need to manage multiple usernames and passwords for different services or transactions. And they can easily access digital equivalents of their driver’s license and Identification Card (IC) through a feature called MyInfo.

By leveraging application programming interfaces (APIs), the service enables users to permit banks and financial services firms to retrieve their personal information to simplify and streamline account enrollment processes. This is also one the first public digital infrastructures to facilitate this form of verification, decreasing the time needed to complete an application by 80%. It has also resulted in a 15% higher approval rate due to better data quality and significant reductions in customer acquisition costs.

But Singpass isn’t yet invulnerable to all possible threats. Earlier this year, scammers allegedly used fraudulent advertising and social media promotions for services like pet grooming and groceries, and dry cleaning lured victims into downloading mobile malware that was used to make unauthorized purchases. According to news reports, money mules allegedly forked over their Singpass credentials and other information to receive and transfer funds.

A Step Toward Decentralized Identities

Singpass may soon give Singaporeans far more control over how their information is used while making digital identity far easier and safer to apply across all sectors of the economy. According to reports, the Government Technology (GovTech) agency that runs Singpass is working on a Decentralized Identifier (DID)-based digital wallet.

While Singpass already offers a digital identity wallet (DIW) that acts like a “digital twin” of hard-copy identity documents, it operates within a federated ecosystem of centralized servers belonging to large public or private organizations. In federated models like this, data or things like selfies captured for facial recognition-based authentication and stored, even for a short time, can conceivably be hacked and either ransomed or exploited to commit fraud.

DID-based wallets, however, use globally unique identifiers that give users a cryptographically verifiable, decentralized digital identity. This approach sets the stage for a future where authenticating users no longer requires personal data to be stored centrally. Instead, users can control what personal information they share and how it’s used—and for how long.

What Should Come Next

I couldn’t agree more with Singapore’s exploration of DID-based digital wallets. In my view, the success of digital identity is predicated on distributed technologies and the architectural advantages they deliver.

With distributed ledger-driven systems, for instance, someone applying for a loan could choose which personal information to share instead of granting a bank access to data about their entire financial lives. They could also share third-party trust scores that allow them to demonstrate creditworthiness without revealing personal information at all.

Perhaps best of all, they would no longer run the risk of having the loan denied due to inaccurate or out-of-date information stored within a federated network. That’s because when users opt to share data, zero-trust systems can apply risk, quality, or credit scores without contributing private user information or metadata to the process. It’s a perfect match with Singapore’s commitment to digital inclusion.

But fair warning: To be effective, digital identity wallets must also comply with NIST-, FIDO2-, and iBeta biometrics-based standards that leverage liveness tests capable of defeating identity spoofing.

Had their calls for restricting purchases of top concert acts to Singpass users been in place, that’s the kind of protection more than a few Singaporean Coldplay fans might appreciate right about now.

Interested in digital identity-based authentication but aren’t sure where the start? You can watch a couple of demos here: 1Kosmos Demo Videos.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More