MAS chair confirms stance on physical MFA tokens

Hardware token MFA

Monetary Authority of Singapore (MAS) chair Tharman Shanmugaratnam has confirmed that the city-state’s banks are free to continue issuing physical tokens to customers to securely access mobile and digital banking services, despite the increasing prevalence of, and preference for, digital tokens.

A question posed to Singapore Prime Minister, Lee Hsien Loong, earlier this month by MP Christopher de Souza, and answered by Shanmugaratnam, sought to determine whether physical tokens should despite the increasing prevalence of digital tokens – still be mandated for issuance by banks, recognising concerns that those who are potentially “less technologically savvy”, or without means to purchase phones that are able to accept digital tokens, may potentially be cut off from accessing digital and mobile banking services.

Shanmugaratnam noted that while MAS does require banks to, at a minimum, implement multi-factor authentication (MFA), the regulator “does not prescribe any particular technology for multi-factor authentication, so that banks can offer the authentication method that best meets their customers’ preferences”.

MFA requires users to provide two or more proofs of identity to gain access to a service – a combination of something they know (a pin, for instance), something they have (a card or token), and something they are (a fingerprint or face scan).

He recognised that many banks in Singapore have now largely replaced hardware tokens (a small physical device, often in the form of a keychain fob, with a unique identifier passcode used to authorise access to banking services) with digital tokens (typically accessible via a smartphone device).

Digital tokens, which are often sent in the form of a PIN, are provided via SMS, email or within a dedicated banking app.

Shanmugaratnam added that banks have also moved to publish “customer advisories and trained their frontline staff to provide guidance to customers on the use of digital tokens”.

According to the MAS Chair, while Singapore’s major banks, including DBS, OCBC and UOB, have now stopped issuing hardware tokens by default to customers who apply for internet banking, customers from these banks can still request hardware tokens if they prefer this method of authentication.

While Singapore has some of the highest smartphone penetration rates in the world, reportedly hitting 95 per cent of Singapore’s adult population in 2018 according to EY’s Savvy Singapore: Decoding a digital nation report, those without capable smartphone devices or those who lack aposite digital skills may struggle to access and use digital tokens.