PDPC | Joint Advisory against using NRIC Numbers for Authentication by the Personal Data Protection Commission (PDPC) and Cyber Security of Singapore (CSA)

Joint Advisory against using NRIC Numbers for Authentication by the Personal Data Protection Commission (PDPC) and Cyber Security Agency of Singapore (CSA)

The PDPC and CSA advise organisations against using NRIC numbers to authenticate persons.

What does it mean to authenticate a person?

Authentication refers to the process of proving that a person is who he claims to be, before granting him access to services or information intended only for him. This differs from identification, where identifiers such as names are used to tell people apart.

Organisations are responsible for deciding whether and how to authenticate

Organisations are responsible for deciding whether and how to authenticate their users, based on considerations such as the value and amount of services or information being protected from access, and the possible impact on people if an impersonator or other bad actor gains access to the services or information.

Passwords are a method of authenticating a person. When a person possesses a properly issued and secured password, he is deemed to have proven that he is the intended recipient of services or information. Therefore, we should not share our passwords with others. Also, when passwords are the chosen method of authenticating persons, strong passwords that are not easily guessed should be used. Otherwise, another person who correctly guesses the password may gain access to services or information intended for the genuine user. Passwords containing information that can be obtained easily, including personal data such as names, NRIC numbers or birthdates, are not strong passwords.

Stop the use of NRIC numbers to authenticate persons

NRIC numbers should not be used as passwords to authenticate a person. This is because they are issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons.

Organisations that are using full or partial NRIC numbers to authenticate persons should stop this practice as soon as possible. They should not set NRIC numbers as default passwords¹, nor should they use full or partial NRIC numbers together with other easily obtainable personal data for authentication (e.g., passwords combining an individual's partial NRIC number and date of birth, such as "567A01Jan80"). Organisations should also be aware that a person may not be who he claims to be just because he is able to state that person's NRIC number.

Considerations and options to authenticate persons

If it is necessary to authenticate persons, organisations should consider using other method(s). Organisations should take a risk-based approach when choosing the authentication method(s), considering factors such as:

Value and sensitivity of what is being protected
Potential threats and vulnerabilities of the authentication method
User experience and accessibility when using the authentication method

Options to authenticate a person² include:

Something only the person knows (e.g. strong passwords)
Something only the person owns (e.g. security token, smart card)
Something only the person has (e.g. fingerprint, face, iris, palm vein)

Resources and guidance

CSA
PDPC
- Advisory Guidelines on Key Concepts in the PDPA (see especially chapter 17 on the Protection Obligation)
- Data Protection Practices for ICT Systems

^[1] For example, in password-protected files sent via e-mail.

^[2] "Something only the person owns" and "something only the person has" are preferred as these offer stronger phishing resistance. For "something only the person knows", opt for a strong password such as a passphrase made up of a series of random words that is harder to crack but easier to remember (e.g. LearnttoRIDEabikeat5). Do set up two-factor authentication for an additional layer of security.