Business printing and mailing solutions company Toppan Forms has teamed up with Assurity Trusted Solutions to launch Singapore’s first two-factor authentication (2FA) solution for push electronic statements (e-statements). The service allows organisations to email or “push” protected e-statements and other confidential documents directly to clients or business partners, who can then “unlock” them securely and conveniently using the OneKey 2FA token.

The e-statements complement what Toppan Forms is already offering as a one-stop print solutions provider for both private and public sector companies, said Ms Caroline Wong, General Manager, Sales and Marketing. “We anticipate that electronic statements will be the way to go. The print-and-mail concept is something that the Y Generation would want to opt out of in time to come, and maybe a certain percentage of the Generation Xers as well, so we will have to evolve this.”

At the same time, the company is not ignoring the fact that some people may still prefer the feel of paper. Mindful of this, it has decided to adopt a two-prong approach – offering its customers a combination of print-and-mail as well as e-statement options.

With the latter, the e-statements are delivered into the individual recipient’s email account. This is quite different from the conventional model where end users have to log into their service provider’s portal to view their e-statements, said Ms Wong. “End users may forget to do so since the e-statements are not sent directly to their designated email boxes, which may in turn lead to disputes between them and their service providers.”

“With our new solution, end users receive the e-statements directly in their email boxes. They key in an OTP (one-time password) generated by their OneKey to unlock their e-statements. The act of unlocking using a 2FA device and OTP that is unique to them constitutes an acknowledgement of receipt,” she added.

Toppan Forms decided to adopt OneKey as its 2FA solution for several reasons. “Assurity is the operator of the National Authentication Framework (NAF), and IDA (Infocomm Development Authority of Singapore) is pushing for the adoption of OneKey on a nationwide basis, so why not move in tandem with what the government has in view?” explained Ms Wong.

Assurity’s aim to introduce one 2FA device for multiple service providers also resonated with Toppan Forms. “I want to implement something, and I want to make it convenient for the masses and not expect them to hold another token,” she added.

Mr Chai Chin Loon, Chief Operating Officer of Assurity says Toppan Forms’ innovative use of OneKey will help enhance the security of push e-statements. “Currently e-statements that are sent to the recipient’s designated email box are accessible either without a password or with a static password. If the recipient’s email account is hacked, the e-statements’ passwords (if any) can be easily hacked, and the recipient’s personal and financial information stolen.”

In contrast to static passwords, OTPs are not vulnerable to replay attacks. “Even if the cyber intruder manages to record an OTP that was already used to log into the recipient’s e-statement, he/she would not be able to abuse it since it will no longer be valid,” he said.

The company is targeting its protected e-statement solution at organisations such as securities companies and government agencies, as well as corporations that require the security feature for business-to-business communications.

It has identified two broad sets of customers. The first are service providers who are already using the NAF and OneKey, for example, securities companies that require clients to use the 2FA token for online trading. These service providers can value-add by extending the use of OneKey so that their clients can receive invoices or statements electronically, instead of having these documents sent to them via traditional mail. This is not only faster; it also provides confirmation that an e-statement is received when the client uses OneKey to unlock the document.

The other set of potential customers would be Toppan Forms’ existing clients who have not yet adopted 2FA for their processes. The protected e-statement solution could be offered as an option to help these organisations transition to a more convenient paperless solution which caters to the new generation of clients and end users. For example, organisations which offer clients e-statements by default can now have these documents sent directly and securely to the clients via email, instead of having them log in each time to check.

Toppan Forms’ electronic documents are also protected by digital signatures recognised by NetTrust. In addition to this, it is working towards having its processes certified by an auditing firm for compliance with the Electronic Transactions Act, said Ms Wong.