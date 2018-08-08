It has been three years since SingPass users could change their unique online ID from their NRIC number, but most have failed to do so, The Straits Times has learned.

A spokesman for the Smart Nation and Digital Government Office (SNDGO) declined to reveal the proportion of users who use non-NRIC details to access their SingPass.

In Parliament on Monday, Minister for Communications and Information S. Iswaran said the Government could be reviewing the use of NRIC numbers as the ID for certain online transactions.

The option for SingPass users to use a non-NRIC detail as their SingPass ID was introduced in July 2015, together with other enhanced security measures such as SingPass two-factor authentication (2FA).

This means that in addition to a user ID and a password, a one-time password - sent through SMS or a token - is needed for electronic government transactions, particularly those involving sensitive data.

Experts told ST that the NRIC was useful as an identification detail for SingPass because it is easy to remember and unique to each Singaporean.

But Mr Benjamin Ang from the S. Rajaratnam School of International Studies (RSIS) said that because an NRIC can access a host of government services, cyber attackers could do a lot of damage with just that one detail.

"If many systems are linked by one number, such as NRIC, it is convenient for users because we can access them all with that number," said Mr Ang, who is a senior fellow in the Centre of Excellence for National Security at RSIS.

"But this convenience is also a risk, because an attacker can also access them all with that one number, so additional measures like 2FA are needed."

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, said the uniqueness of the NRIC is a double-edged sword, as it is a detail that cannot be changed.

"The NRIC cannot be changed," said Mr Tan.

"That is a big drawback because it is a sole unique identifier that we use for everything. If we need to change it because of a compromising event, that would be disastrous."

But moving from a system where one's NRIC is used to access SingPass by default would be a "large effort" added Mr Ang, as this could involve creating a new form of identification detail for every single online Government platform or database.

Last November, Singapore's privacy watchdog, the Personal Data Protection Commission (PDPC), sought public feedback on proposed guidelines on the collection of NRIC details.

These state that NRIC details should be collected only when the law requires it, or when it is necessary to verify someone's identity "to a high degree of fidelity".

Public consultation ended last December.

The PDPC previously said it would issue the finalised guidelines by the middle of this year.