The Personal Data Protection Commission (“PDPC“) and Cyber Security Agency of Singapore (“CSA“) have issued a joint advisory to advise organisations against using NRIC numbers for authentication.
The advisory sets out the following guidance on the use of NRIC numbers:
- NRIC numbers (full or partial) should not be used as passwords to authenticate a person.
- Organisations should not set NRIC numbers as default passwords, nor should they use full or partial NRIC numbers together with other easily obtainable personal data for authentication.
- Organisations should also be aware that a person may not be who he claims to be just because he is able to state that person’s NRIC number.
The advisory also sets out considerations and options to authenticate persons:
- Organisations should take a risk-based approach when choosing the authentication methods, considering factors such as: (i) value and sensitivity of what is being protected; (ii) potential threats and vulnerabilities of the authentication method; and (iii) user experience and accessibility when using the authentication method.
- Options to authenticate a person include: (i) something only the person knows (e.g. strong passwords); (ii) something only the person owns; or (iii) something only the person has.
Click on the following link for more information:
- Joint Advisory Against Using NRIC Numbers For Authentication (available on the CSA website at csa.gov.sg)