Can Singapore become a passwordless nation?

Going passwordless is becoming a trend for organizations today. However, shifting user mindsets to trust in passwordless verification methods is difficult. Many still feel that passwords give them a sense of better security.

The problem with sticking to passwords: cybercriminals are becoming adept at breaking and hacking passwords. Despite companies offering password generators and the use of multi-factor authentication, passwords remain a weak link.

In fact, brute force, a hacking technique used by cybercriminals to crack weak passwords, can yield alarming results. A hacker can attempt 2.18 trillion password/username combinations in 22 seconds, and if the password is simple, the account could be easily compromised. Another method, credential stuffing, takes advantage of accounts that never changed their passwords after they were leaked.

In Southeast Asia, a report by Kaspersky showed 47.8 million brute force attacks targeting remote workers from January to June 2022. This amounts to approximately 265k attacks on a daily average.

Singapore, in particular, has witnessed an increase in such attacks. These included the smishing campaigns experienced by customers of OCBC Bank last year, which resulted in victims suffering losses of more than SG$8.5 million. After the outbreak, authorities introduced new security measures including the ban of links in banking emails and SMS.

More recently, there’s been a surge in unauthorized charges on debit and credit cards in the island republic. According to The Straits Times, numerous unauthorized transactions have been reported. The CyberSecurity Agency of Singapore stated that these small transactions could be tests by cybercriminals to identify or validate debit and credit card details before making larger transactions, and they advised consumers to set alerts for such transactions on their accounts.

Another recent case in Singapore involved Mediacorp, the country’s national broadcaster. Reports indicated that about 14,000 meconnect users had their passwords reset after their accounts were accessed by an unidentified external party. The credentials are used to access Mediacorp services such as the online streaming platform meWatch. Mediacorp informed all affected account holders about the matter and reset their passwords.

Time to get rid of passwords? 

For David Hope, Senior Vice President for Asia Pacific and Japan at ForgeRock, the recent increase in unauthorized debit and credit card charges underscores the vulnerabilities associated with traditional password-based authentication systems. As such, Hope believes it is more important than ever to adopt passwordless solutions to ensure better safety and security.

“Our digital identities are central to how we access services like online banking and retail securely. This shift, coupled with the amount of personal information used to access such services, has provided a larger digital surface area for cybercriminals to exploit.

To optimize frictionless security and mitigate these cyber risks, organizations need to ditch passwords. They must embed smarter authentication and verification measures within their technology ecosystems to protect themselves and their users from fraud and ensure potential threats are easily identified,” said Hope.

Passwordless authentication and other AI-driven threat protection solutions create more precise security measures to protect digital identity information. Through this approach, organizations in Singapore can better navigate a growing number of attacks, improve user experience, reduce operational inefficiencies, and save costs from regular password resets.

“As Singapore continues to lead the charge on digitalization across the region, the need for secure access and authorized authentication will only continue to grow, and organizations must focus on improving their systems today to future-proof their competitive advantage and protect their users,” he added.

via GIPHY

What does passwordless actually mean?

Passwordless authentication is best described as a means to verify a user’s identity, without using a password. Instead, passwordless methods use more secure alternatives like biometrics.

To make it work, the authentication data (typically a biometric thumbprint or facial recognition) needs to match the data stored in the database. If no biometrics are available, a passkey or multi-factor authentication through personal devices can be used.

Multi-factor authentication on personal devices is already being implemented by some financial service providers, whereby the user’s identity is confirmed through fingerprints or retinal scans on a mobile device.

The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.

FIDO2 security keys are an unphishable, standards-based, passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign into their resources without a username or password using an external security key or a platform key built into a device.

The challenges of going passwordless

Going passwordless brings several challenges that need to be addressed for successful implementation. The most significant ones are user acceptance and familiarity. As mentioned above, getting users to switch from the habit of using passwords to going passwordless can be confusing for some, especially the older generation who are accustomed to using them.

Introducing new authentication methods may require a mindset shift and user education to ensure widespread acceptance and familiarity. Apart from that, implementing passwordless solutions often requires significant changes to existing systems and infrastructure. Compatibility issues may arise when integrating with legacy systems that are designed to work with passwords, which can hinder the adoption of passwordless methods.

Passwordless authentication methods should also prioritize a seamless user experience while ensuring accessibility for users with disabilities. Balancing security requirements with ease of use and accommodating diverse user needs can be challenging.

Another challenge is the recovery and account management process, which will be completely different. Instead of just a password reset, organizations need to develop alternative mechanisms for users to regain access to their accounts in case of device loss, biometric changes, or other circumstances.

So, can a country like Singapore become a passwordless nation?

Due to the infrastructure in the country, implementing passwordless systems will be complex. However, given the country’s connectivity, deploying such methods is certainly possible. The only question is, will the public be open to such changes? While the system may work for some authentication methods, it may be some time before every industry implements it.

---

---

---

---