Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Singapore: CSA issues advisory on multi-factor authentication

The Cyber Security Agency of Singapore ('CSA') issued, on 23 March 2023, an advisory on the importance of using secure multi-factor authentication ('MFA') methods. In particular, the CSA highlighted that MFA is crucial to provide an extra layer of protection to passwords and usernames which are vulnerable to phishing, key logging, and credential leaks.

More specifically, the CSA noted that common types of MFA include SMS-based authentication which generates one-time passwords ('OTPs') which are then sent to users' registered mobile numbers. Likewise, the CSA outlined that biometric authentication may be used, utilising biological or behavioural characteristics to verify user identity. Further, the CSA provided that application-based authentication may be used, with popular apps including Google Authenticator, Microsoft Authenticator, and Authy. Nonetheless, the CSA clarified that each MFA method should be used in combination with usernames and passwords for two-factor authentication ('2FA').

In addition, the CSA stipulated that SMS authentication is not as secure as authenticator apps or biometric authentication, since SMS authentication may be subject to SIM swapping, where threat actors may port publicly available phone numbers so that they receive users' SMS verification OTP and gain access into online accounts. Equally, the CSA noted that SMS authentication may be subject to SMS phishing, where threat actors intercept users' SMS messages and steal verification OTP to gain access into online accounts.

You can read the advisory here.

Feedback