Singapore censures use of national identification numbers for authentication

What are the risks from using NRIC numbers to authenticate individuals?

The NRIC is a unique 9-character identification number issued by the Government to an individual in Singapore, which the Advisory notes has been used with increasing frequency by organizations as a means of authenticating the identity of individuals or as the default password for an individual accessing confidential information.

The Advisory emphasizes that this practice is unsafe, as the NRIC uniquely identifies an individual, and may be known to multiple parties, such as employers or educational institutions.

As such, there is significant risk that it could be used by unauthorized persons to impersonate an individual and gain access to confidential information.

From an organizational perspective, these potential threats bring with them an increased risk of data breaches and the potential compromise of confidential information.

What are some permitted alternative authentication methods?

The Advisory instructs organisations to promptly transition to stronger authentication measures, which can be determined using a risk-based approach.

Factors such as (i) the information being particularly sensitive or (ii) there being potential threats and vulnerabilities with the authentication method necessitate employing stronger authentication methods.

‘Strong’ authentication options include:

1. Something only the person knows (e.g. strong passwords);
2. Something only the person owns (e.g. security token, smart card); and
3. Something only the person has (e.g. fingerprint, face, iris, palm vein).

Where feasible, multi-factor authentication which combines at least two of these categories should be implemented to reduce the likelihood of a data breach.

Practical steps for organizations

• Review current practices: Authentication processes should be immediately reviewed to reflect the move away from the use of NRIC numbers as authentication credentials or passwords, and the implementation of stronger authentication options. In general, organisations should stop using any unique identifier as authentication credentials or passwords due to the related data security risks. This would likely include a foreign passport number, and non-Singapore government assigned identifiers, such as Japan’s My Number, India’s Aadhaar, and a U.S. social security number.
• Update internal policies and procedures: Relevant internal policies and employee training should be updated to reflect the organization’s compliance with this prohibition against the use of NRIC numbers or other unique identifiers as authentication credentials or passwords. Moreover, the importance of adhering to this measure and the data security risks associated with non-compliance should be effectively communicated to all staff and users.
• Keep abreast of developments: Organizations should closely monitor developments in this area to ensure ongoing compliance with local laws, regulations and guidance. Specifically, organisations can expect to see updated and new sector-specific guidelines that reflect the Advisory, developed by the PDPC in collaboration with the MDDI.

Takeaways

It is generally understood that the Advisory represents and establishes a clear prohibition in Singapore, against the use of NRIC numbers as authentication credentials or passwords.

Regardless of whether your business operates in Singapore or internationally, one should take heed by eradicating right away, the use of any unique identifier (whether in full or partially) for authentication purposes, particularly given the significant data security risks that such a practice carries.

Should you need assistance or have enquiries about whether and how this new Advisory affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.

Authored by Charmian Aw and Ciara O’leary.