A National Authentication Framework (NAF) operator has been set up to provide service providers and consumers with a convenient, trusted and cost-effective means to secure their online transactions using Second Factor Authentication (2FA).

Assurity Trusted Solutions Pte Ltd, a wholly-owned subsidiary of the Infocomm Development Authority of Singapore (IDA), will own the NAF infrastructure and is expected to start rolling out its services in the second half of 2011.

“The availability of online services in Singapore has been increasing and more people are transacting online today,” said RADM(NS) Ronnie Tay, Chief Executive Officer of IDA, noting that the percentage of online shoppers has increased from 17 per cent in 2003 to 40 per cent in 2009. “When the NAF service is rolled out, it will provide the public and businesses with a convenient, trusted and cost-effective means to better secure online transactions.”

Announcing the National Authentication Framework operator: (From left) Mr Khoong Hock Yun, RADM(NS) Ronnie Tay, Assurity’s Executive Chairman Mr Lim Hup Seng and Assurity's Chief Operating Officer Mr Chai Chin Loon.

Unlike single factor authentication which only requires one factor such as the user’s knowledge of a password to access a system, 2FA is based on what the user knows as well as what the user has, for example, a security token. One popular 2FA method involves the dynamic generation of a One-Time Password (OTP) which is delivered to the token or via SMS. The user will have to key in the OTP after entering his ID and password, in order to access
the system.

All qualified Singapore citizens and Permanent Residents aged 15 and above who perform online transactions with 2FA can request for a free first token from Assurity. To lower the barriers for service providers to adopt 2FA, Assurity will provide them with free authentication services for the first two years of operation.

Mr Lim Hup Seng, Executive Chairman of Assurity, said NAF services have the potential to reach out to over three million users in Singapore and could therefore offer service providers better economies of scale. For example banks, which are mandated by the Monetary Authority of Singapore (MAS) to use 2FA and may be facing end-of-life issues with their existing 2FA systems, may want to tap on the NAF to lower their cost per transaction and at the same time allow their customers the convenience of using a single token for all their online transactions.

“This is a significant change from a one-to-one relationship – one token for each organisation – to the use of one token for many services. Without this, the user ends up with many tokens for many organisations,” said Mr Lim.

Another compelling advantage of NAF lies in the cross-functional use of its services, said Mr Khoong Hock Yun, Assistant Chief Executive, Infrastructure and Services Development Group, IDA.

He gave the example of a healthcare scenario in which a user may need to perform secure online transactions with his insurance company, the Central Provident Fund Board for Medisave deductions and the bank for payment. With NAF services, these transactions can be streamlined and made seamless for the end-user.

Besides banks, online securities brokerage companies have also been strongly encouraged by the MAS to implement 2FA systems this year.

Smaller companies seeking to offer more secure online transactions will also be able to enjoy the economies of scale offered by the NAF for a more cost-effective authentication solution, instead of investing in their own 2FA infrastructure.

ST Electronics (Info-Security) has been appointed as the vendor to design, build, operate and maintain the NAF infrastructure. It is partnering Data Security Systems Solutions, a local authentication technology provider.

The current NAF infrastructure is being set up to support SMS or token-based OTP, depending on what the service provider wants to offer to its customers. To ensure the integrity of the NAF, the first factor authentication remains with each service provider, and no authentication information flows to Assurity.

According to Ms Ong Lay Peng, Deputy Director, Next Generation Trusted Infrastructure, IDA, OTP was chosen as the authentication method for 2FA because it has the largest deployment base in Singapore. It also does not require any hardware or software installation, thus lowering the barrier to entry for first-time users. However, should there be demand, other authentication mechanisms could be deployed in the future, said Ms Ong.