In Singapore, SingPass is a trusted digital identity that provides convenient and secure access to thousands of government accounts and services to citizens, online and in person. Previously, SingPass utilized on-device biometrics like Apple’s TouchID and FaceID as part of its verification system. However, the rise in fraudulent activities, including hacking through social engineering tactics, prompted SingPass to take decisive action to require a biometric factor in an app and no longer trust the biometrics built into devices.
Recent Scams
In a recent incident reported by local media, victims received fake notifications containing a link that led them to download malware onto their devices, granting unauthorized access to their device. This compromised the on-device biometrics and allowed scammers to bypass authentication and engage in fraudulent activities using the victims’ identities.
This incident underscores the vulnerability of on-device biometrics and the necessity for more secure authentication methods. SingPass has recognized these risks and has shifted towards in-app face verification, which operates independently of the device’s biometrics.
SingPass’ Identiface face verification utilizes biometrics stored on a secure government server, mitigating many of the risks associated with on-device biometric verification and the facial recognition technology commonly present in smartphones.
On-Device vs. In-App Biometric Authentication
The face recognition feature on smartphones compares the user’s face with a registered photo stored on the device. Anyone with access to the pin code for the device can register a face. In contrast, Identiface compares the user’s face with their biometric records stored on Identiface’s server.
Furthermore, smartphone face recognition technology often lacks the robust security measures of SingPass’ Face Verification and may not offer the same level of liveness detection, rendering it more susceptible to spoofing.
To illustrate, consider a scenario where both Apple’s FaceID and Identiface are enabled on a mobile banking app. On an iPhone, if someone else (like a household member) has access to your phone and has set up FaceID, they would be able to authenticate themselves and access your bank account through the mobile banking app. In In-app biometric authentication, only the user whose identity is linked to their account can authenticate themselves on the mobile app. This authentication process entails comparing the captured facial image with the biometrics database managed by trusted entities.
The SingPass Identiface face verification system offers a secure and efficient way to access sensitive services. While on-device biometric verification carries risks, SingPass has implemented robust security measures to protect user data. Entities worldwide are increasingly acknowledging that on-device biometrics are not adequately secure. To learn more, read our white paper that compares consumer and enterprise grade biometrics.
News references
https://www.todayonline.com/singapore/cpf-log-face-verification-malware-phishing-scam-2201836