DEV Community

Cover image for Singapore Banking Authentication
vdelitz for Corbado

Posted on • Originally published at corbado.com

Singapore Banking Authentication

Introduction

The Monetary Authority of Singapore (MAS) has mandated that all major retail banks transition from One-Time Passcodes (OTPs) to more secure digital tokens within three months. This move aims to combat the rising tide of phishing scams, which have caused significant financial losses. This article explores the MAS announcement, the benefits of digital tokens, and the potential of passkeys as a superior solution for banking security in Singapore.

Read full blog post here

MAS Announcement on Phishing Scams and Digital Tokens

On July 9, 2024, MAS and the Association of Banks in Singapore (ABS) announced the phasing out of SMS OTPs. This decision addresses the increasing sophistication of phishing attacks that trick customers into disclosing OTPs on fake websites. Digital tokens, which are bound to a specific device, provide a more secure alternative by generating authentication codes directly on the user’s device.

What are Digital Tokens and Why are They More Secure?

How Digital Tokens Work

Digital tokens enhance security by using time-based or cryptographic methods to generate authentication codes. These codes are device-specific, reducing the risk of interception by phishers.

Enhanced Security Features of Digital Tokens

  1. Device Binding: Authentication codes can only be generated on the user’s device.
  2. Multi-Factor Setup: Initial setup involves SMS or email OTPs to verify identity.
  3. Cryptographic Protection: Uses strong algorithms to ensure secure code generation.

Case Study: DBS Bank’s Implementation

DBS Bank requires a combination of SMS and email OTPs, along with a banking PIN, to set up digital tokens on a mobile device. This method significantly reduces the risk of phishing attacks, although it does not completely eliminate it.

Passkeys for Singapore Banking

Why Passkeys are More Secure Than Digital Tokens

Passkeys offer a robust solution to the limitations of digital tokens. Unlike digital tokens, passkeys are inherently phishing-resistant, as they can only be used on the legitimate site that issued the challenge. This ensures that users cannot be tricked into entering their credentials on fraudulent sites.

The Case for Passkeys: Australia as Role Model

Australia’s Essential Eight standard highlights the importance of phishing-resistant authentication. Singapore can follow this example by integrating passkeys into its digital security standards, thereby aligning with global best practices.

Recommendations for Singapore Banks

  1. Start Collecting Passkeys Early: Integrate passkey collection into current authentication processes.
  2. Replace PINs with Passkeys: Implement passkeys as the primary authentication method.
  3. Employ Passkeys as a First Factor or Additional Risk Measure: Use passkeys for multi-factor authentication.
  4. Educate Customers about Passkeys: Inform customers about the benefits of passkeys.
  5. Collaborate with Regulators and Industry Peers: Work with MAS and peers to standardize passkey implementation.
  6. Invest in Infrastructure and Support Systems: Ensure robust systems to support passkey authentication.
  7. Monitor and Adapt to Emerging Threats: Continuously update security measures.

Conclusion

The MAS mandate to replace SMS OTPs with digital tokens marks a significant step toward enhanced digital banking security. While digital tokens offer improved protection, passkeys provide a comprehensive, phishing-resistant solution. By adopting passkeys, Singapore’s banking sector can set a new standard in digital security, aligning with international best practices and ensuring a safer banking environment for all users. Find out more in our full blog post.

Top comments (1)

Collapse
 
aehnh profile image
Anders

😎