News

Singapore censures use of national identification numbers for authentication

PAC image
PAC image

On 26 June 2025, Singapore’s Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) released a joint statement advising organizations to stop “as soon as possible” the practice of using Singapore national registration identity card (NRIC) numbers, whether fully or partially, as default passwords or for authenticating the identity of individuals (Advisory).

The risks associated with using NRIC numbers as credentials or for authentication purposes were brought into the spotlight in December 2024, after the names and NRIC numbers of office holders were publicly displayed in search results.

This latest Advisory reaffirms the positions of the Ministry of Digital Development (MDDI) and PDPC in their media statements in December 2024 in response to that incident.

More broadly, this Advisory provides an important reminder to all organizations that the use of any unique identifier as authentication credentials or for password purposes presents significant data security risks, and should be avoided where possible.

What are the risks from using NRIC numbers to authenticate individuals?

The NRIC is a unique 9-character identification number issued by the Government to an individual in Singapore, which the Advisory notes has been used with increasing frequency by organizations as a means of authenticating the identity of individuals or as the default password for an individual accessing confidential information.

The Advisory emphasizes that this practice is unsafe, as the NRIC uniquely identifies an individual, and may be known to multiple parties, such as employers or educational institutions.

As such, there is significant risk that it could be used by unauthorized persons to impersonate an individual and gain access to confidential information.

From an organizational perspective, these potential threats bring with them an increased risk of data breaches and the potential compromise of confidential information.

What are some permitted alternative authentication methods?

The Advisory instructs organisations to promptly transition to stronger authentication measures, which can be determined using a risk-based approach.

Factors such as (i) the information being particularly sensitive or (ii) there being potential threats and vulnerabilities with the authentication method necessitate employing stronger authentication methods.

‘Strong’ authentication options include:

  1. Something only the person knows (e.g. strong passwords);
  2. Something only the person owns (e.g. security token, smart card); and
  3. Something only the person has (e.g. fingerprint, face, iris, palm vein).

Where feasible, multi-factor authentication which combines at least two of these categories should be implemented to reduce the likelihood of a data breach.

Practical steps for organizations

  • Review current practices: Authentication processes should be immediately reviewed to reflect the move away from the use of NRIC numbers as authentication credentials or passwords, and the implementation of stronger authentication options. In general, organisations should stop using any unique identifier as authentication credentials or passwords due to the related data security risks. This would likely include a foreign passport number, and non-Singapore government assigned identifiers, such as Japan’s My Number, India’s Aadhaar, and a U.S. social security number.
  • Update internal policies and procedures: Relevant internal policies and employee training should be updated to reflect the organization’s compliance with this prohibition against the use of NRIC numbers or other unique identifiers as authentication credentials or passwords. Moreover, the importance of adhering to this measure and the data security risks associated with non-compliance should be effectively communicated to all staff and users.
  • Keep abreast of developments: Organizations should closely monitor developments in this area to ensure ongoing compliance with local laws, regulations and guidance. Specifically, organisations can expect to see updated and new sector-specific guidelines that reflect the Advisory, developed by the PDPC in collaboration with the MDDI.

Takeaways

It is generally understood that the Advisory represents and establishes a clear prohibition in Singapore, against the use of NRIC numbers as authentication credentials or passwords.

Regardless of whether your business operates in Singapore or internationally, one should take heed by eradicating right away, the use of any unique identifier (whether in full or partially) for authentication purposes, particularly given the significant data security risks that such a practice carries.

Should you need assistance or have enquiries about whether and how this new Advisory affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.

 

 

Authored by Charmian Aw and Ciara O’leary.

View more insights and analysis

Register now to receive personalized content and more!