The digital landscape in Singapore is constantly evolving, bringing both new opportunities and emerging risks. Your organization has a key role in safeguarding the personal data you handle. The Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA) have issued a Joint Advisory to highlight a significant weakness in typical practices: relying on National Registration Identity Card (NRIC) numbers for authentication. The advisory urges organisations to avoid using NRIC numbers for this purpose.
Understanding the critical distinction: Identification vs. Authentication
Many organisations treat NRIC numbers as a secure authentication factor. The advisory emphasises the importance of understanding the difference between identification and authentication.
- Identification: This is the act of establishing who a person is, for example, using an NRIC number to differentiate one individual from another for administrative purposes.
- Authentication: This is the process of proving that a person is genuinely who they claim to be, "before granting them access to services or information intended only for them."
Why should Organisations refrain from using NRIC numbers?
NRIC numbers are meant for identification and not authentication. They are widely known, often publicly disclosed and can be easily guessed or obtained. Using NRIC numbers or parts of them as your passwords, usernames or authentication tools exposes your organisation to security risks and may violate data protection obligations under the PDPA. This directive underscores a fundamental security principle: NRIC is a unique identifier, not a secure authentication credential.
Mandatory actions for organisations: What You Must Do
All organisations and employers handling personal data must send protected documents, manage user access, or operate online systems regardless of industry or size.
The key Compliance Obligations for organizations are listed below
- Stopping the use of full or partial NRIC numbers as passwords or default passwords: this applies to online portals, password-protected documents (e.g., emailed statements), and any system that requires a user login.
Avoiding combinations of NRIC numbers with other easily obtainable personal data (e.g., partial NRIC + date of birth) for authentication.
Do not assume that a person's identity is verified solely based on their ability to state an NRIC number
Implement stronger authentication methods based on
"Something only the person knows (e.g. strong passwords)"
"Something only the person owns (e.g. security token, smart card)"
"Something only the person has (e.g. fingerprint, face, iris, palm vein)"
Key Actions for Compliance teams
- Ensure that full or partial NRIC numbers are not used by the organisation as passwords or default passwords.
- Remove any authentication processes that rely on NRIC numbers alone or in combination with other easily obtainable personal data (e.g. date of birth).
- Ensure staff are trained to differentiate between Identification and Authentication.
- Implement Stronger Authentication Methods.
- Conduct an audit of all systems and workflows to identify where NRIC numbers are used for authentication.
- Provide training or access to training on secure authentication practices and data protection obligations under the PDPA.
- Continuously monitor systems for compliance with data protection and cybersecurity standards.
- Stay updated with future advisories or regulatory updates from the PDPC and CSA.
Conclusion The move away from NRIC-based authentication is not merely a compliance exercise; it's a fundamental shift towards building a more resilient and trustworthy digital ecosystem. By embracing robust authentication methods, organisations not only ensure compliance with applicable laws in safeguarding the personal data of individuals but also strengthen Singapore's collective cybersecurity posture and resilience. This is an ongoing journey, and taking proactive steps now helps build a safer digital future for and your proactive commitment today ensures a more secure tomorrow for everyone.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
