This article that I have just seen reminds me one of system securities core values - CIAA (confidentiality, Integrity, Availability and Authenticity). Singapore IDA formed an subsidiary called "Assurity Trusted Solutions Pte Ltd" to oversee & manage their vision called iN2015 master plan to provide secure & trusted party authorizing 2nd Factor Authentication (2FA).
Currently, Online Banking in Singapore is heavily using 2FA - if you are one of the online banking users, you might be holding a token or a cell phone that the authentication codes will be sent to you after you login. Singapore IDA is taking over this stuff to become in charge of this 2FA instead of individual banks. Its main purpose is to make a single authentication device instead of using multiples from various service providers. It also mentioned that business can enjoy cost saving since they do not need to implement it by themselves.
Please allow me to revisit what we learnt about authentication. It is about proving who you really are - that is authentication. There are 3 ways to verify someone - something you know (like your email password), or something you have (like your ID card) or something you are (like your fingerprint or voice). If we want to enforce the systems, it is easy - use more than one verification methods.
Overall, it seems it has benefits to many angles of life. But one thing that come across my mind is "responsibility". First, let's say you are logging into one of Singapore Local bank (says DBS). You got to login using your username and password that the database is maintained in the bank. After you have supplied the correct username and password before your maximum tries is over or before the session timeout has occurred, you will be asked to enter the 2nd authentication code.
If IDA is supplying the 2nd authentication code, that caused me a lot of wonder. First, who is now maintaining the username and password? IDA or individual banks? Moreover, some transactions are considered as sensitive transactions such as fund transfer or paying bills. Such transactions require the 2nd authentication code.
And in the case of online fraud or some undesired event happened, who is now answerable? Bank or 2nd Authentication Code Provider? This is very confusing indeed. When the 1st authentication and 2nd authentication verifiers are different, the arguments of holding the responsibility now fall in grey area.
To see full story about the NAF, read in Straits Times.
Currently, Online Banking in Singapore is heavily using 2FA - if you are one of the online banking users, you might be holding a token or a cell phone that the authentication codes will be sent to you after you login. Singapore IDA is taking over this stuff to become in charge of this 2FA instead of individual banks. Its main purpose is to make a single authentication device instead of using multiples from various service providers. It also mentioned that business can enjoy cost saving since they do not need to implement it by themselves.
Please allow me to revisit what we learnt about authentication. It is about proving who you really are - that is authentication. There are 3 ways to verify someone - something you know (like your email password), or something you have (like your ID card) or something you are (like your fingerprint or voice). If we want to enforce the systems, it is easy - use more than one verification methods.
Overall, it seems it has benefits to many angles of life. But one thing that come across my mind is "responsibility". First, let's say you are logging into one of Singapore Local bank (says DBS). You got to login using your username and password that the database is maintained in the bank. After you have supplied the correct username and password before your maximum tries is over or before the session timeout has occurred, you will be asked to enter the 2nd authentication code.
If IDA is supplying the 2nd authentication code, that caused me a lot of wonder. First, who is now maintaining the username and password? IDA or individual banks? Moreover, some transactions are considered as sensitive transactions such as fund transfer or paying bills. Such transactions require the 2nd authentication code.
And in the case of online fraud or some undesired event happened, who is now answerable? Bank or 2nd Authentication Code Provider? This is very confusing indeed. When the 1st authentication and 2nd authentication verifiers are different, the arguments of holding the responsibility now fall in grey area.
To see full story about the NAF, read in Straits Times.
i am not sure if 2FA is enough. there are many incidents in 2010 that have proven that 2FA (one time password) is not enough security.
ReplyDeleteit is great to hear that national level authentication framework will be rolled out but it needs to be strong enough. Unfortunately above looks way short when it comes to strong authentication.
Warm regards,
Vikram
Security Expert,
vikram@ezmcom.com
www.ezmcom.com