S'pore authorities issue advisory for private sectors to stop using NRIC numbers as authentication as soon as possible

The Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) advise private sector organisations to stop using National Registration Identity Card (NRIC) numbers to prove a person's identity.

According to a statement from the Ministry of Digital Development and Information (MDDI), the private sector uses a person's NRIC as a password to gain information intended for the person.

However, it stated that it is unsafe for organisations to use NRIC in such a manner, as a person's NRIC number may be known to others, allowing anyone who knows that particular NRIC to impersonate the person easily and access their personal data or records.

"While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be (authenticate the person) for the purposes of trying to gain access to services or information meant only for that person."

MDDI advises organisations that use full or partial NRIC numbers to authenticate persons to stop and transition away from this practice as soon as possible.

Other practices include setting NRIC numbers as default passwords and using full or partial NRIC numbers together with other easily obtainable personal data (e.g. passwords combining partial NRIC number and date of birth) should be stopped as well.

MDDI suggests that if organisations require a person to be authenticated, they should consider other methods, such as requiring them to use strong passwords, a security token, or fingerprint identification.

"Since January, the government has been taking steps to ensure the proper use of NRIC numbers in the private sector, to better protect citizens... The government is also working with regulated sectors such as finance, healthcare, and telecommunications to develop sector-specific guidance," said MDDI.

"The government remains committed to protecting citizens' personal data and ensuring its secure use for rightful purposes."

Advise against

In a joint advisory, PDPC and CSA advised private organisations not to use NRIC numbers as passwords to authenticate a person and to consider using other methods.

Organisations are advised to take a risk-based approach when choosing the authentication methods and consider factors like:

• Value and sensitivity of what is being protected
• Potential threats and vulnerabilities of the authentication method
• User experience and accessibility when using the authentication method

Methods to authenticate persons that organisations can use include:

• Something only the person knows (e.g. strong passwords)
• Something only the person owns (e.g. security token, smart card)
• Something only the person has (e.g. fingerprint, face, iris, palm vein)

"No value" in masking NRIC numbers

In December 2024, the government shared its plans to move away from the practice of masking the NRIC number as it is assumed to be known.

The statement was made in response to media queries on the disclosure of NRIC number on the Accounting and Corporate Regulatory Authority's (ACRA) new Bizfile portal.

The NRIC is a permanent and irreplaceable identifier issued by the Singapore Government as a means to identify individuals.

"As a unique identifier, the NRIC number is assumed to be known, just as our real names are known," said MDDI in the statement.

As such, there should "not be any sensitivity in having one's full NRIC number made public".

The problem lies only when NRIC number is misappropriated, which could happen when organisations rely on NRIC numbers as a form of authentication to gain access to information or to perform transactions.

However, using the NRIC number as a means of authentication would require keeping it secret, "which would defeat its main purpose as a unique identifier."

While some have used masked NRIC numbers, MDDI stressed there is no need for such practice as there is not "much value in doing so."

The statement added that one can make a good guess at the full NRIC number from the masked numbers with basic algorithms, especially if the person's birth year is known.

"We recognise that some Singaporeans have long treated the NRIC number as private and confidential information, and will need time to adjust to this new way of thinking about the NRIC number," the statement read.

Related stories

Top photo via ICA & Canva