New mobile soft token solution to be implemented by GovTech subsidiary, Assurity Trusted Solutions
Image credit: Assurity Trusted Solutions
In December last year, over 2.3 million SingPass users, constituting the majority of users, had set up their SingPass 2-Step Verification, also known as 2-Factor Authentication (2FA), placing an additional layer of security for their SingPass account and personal data. Now, the Singapore government is reviewing various options together with the industry, including offering a mobile soft token.
On 14 February, Assurity Trusted Solutions (Assurity) entered into a collaboration with V-Key, a global leader in digital mobile security. V-key, headquartered in Singapore, is accredited by the Infocomm Media Development Authority (IMDA) to deliver an innovative form of authentication via V-Tap, V-Key’s mobile soft token application. V-Key’s software token, which is also deployed by top banks in Singapore, including DBS and UOB, combines the security of hardware tokens with the convenience of SMS-based One-time Password (OTPs).
Assurity is a wholly-owned subsidiary of the Government Technology Agency of Singapore (GovTech). Assurity manages the National Authentication Framework (NAF), a national initiative to strengthen cyber security through identity and access authentication.
Assurity’s authentication service, OneKey is used to perform secure logins, update personal details and conduct online transactions with multiple government and private service providers, including securities trading firms, banks and insurance companies. Till now, OneKey came as a hard token and SMS OTP. By the end of February, there will be the additional option of a mobile soft token.
Users will be able to download the new V-Tap enabled OneKey mobile app onto their mobile device and enrol with a registration code. This effectively binds their identity to their mobile device after which they can authenticate themselves and authorise transactions by means of the soft token.
The app, free for all Singaporeans and Permanent Residents, will be available for whitelisted, non-jailbroken iPhone & non-rooted Android smartphones. Access to the application is secured via PIN & Touch ID. In order to ensure the integrity of the app, the application is equipped to detect and assess threats, such as monitoring for rooted or jailbroken phones, remote administration tool, application tampering, runtime tampering and libraries tampering.
Users often compromise on security for the sake of convenience and there is room for improvement when it comes to cyber hygiene awareness and practices in the Singapore population. In the recent CSA survey, close to three in five respondents were extremely concerned about the security of their financial and personal information. Over 4.1 million residents in Singapore own smart phones, making the OneKey Mobile app an even more convenient solution for many customers, while maintaining security. They can perform online transactions on-the-go conveniently, with one application, without any need to carry an additional device.
The mobile token offers several advantages over the hard token and SMS OTP. A hard token limited by its battery life of 3-5 years, a soft token app can be upgraded over time and requires next to no maintenance and very little cost. Unlike SMS-based OTPs, soft token-based OTPs do not require mobile network connections and can work offline, eliminating latency and delivery issues. It is also ideal for overseas users’ mobile phones with non-Singapore numbers.
In addition, the soft token authentication solution can be easily migrated to a new mobile device in case of loss, or change of device. If a person loses or replaces their phone, they can contact their service provider to reactivate the application on their new phone. Reactivation will deactivate the old application on their previous phone.
V-Tap is built on top of V-OS, V-Key’s pioneering virtual secure element, which equals or betters smart chip security specifications and offers multi-layered protection against advanced threats targeting mobile applications for the Assurity application. The protocols for verification of the user’s identity are as secure as those for services that require strong authentication such as financial transactions.
Charles Fan, Chief Executive Officer of Assurity said: “With cyber threats becoming more sophisticated and the increasing number of people accessing their online accounts via mobile applications, there is a need to outpace these threats and provide end-users with a highly secure and yet convenient authentication option. The launch of this new soft token solution underscores our commitment to constantly seek safe and innovative solutions that cater to consumers’ security and lifestyle needs, such as enabling quick access to multiple online services with the use of a single authentication device.”