I have the opportunity to meet up with the COO of Assurity Trusted Solution, the company behind the National Authentication Framework: OneKey. Assurity Trusted Solutions is a subsidiary of Infocomm Development Authority of Singapore (IDA).
The OneKey token has 3 functions: One Time Password (OTP), Challenge Response (CR) and Transaction Signing (SIGN).
Most people are familiar with One Time Password. OTP is the same as the 2FA token login that we have been using for our online banking for the past few years. Just press the button and the token will generate a string of numbers. For Challenge Response, the website will display a string of numbers. Key in those numbers onto the token and it will generate a string of numbers for your response. Transaction Signing are used when you want to transfer money to another account. Key in the account number and the amount you wish to transfer and the token will generate a string of numbers. Transaction Signing provides much more security compared to the current 2FA that we are using for our online banking.
So far, only Phillip Securities, Kim Eng Securities and ST Electronics are onboard. Phillip Securities and Kim Eng Securities is using OneKey for their customers to login to their website for online transaction while ST Electronics is using OneKey for their employees to login to secure VPN. Yes, the OneKey solution is able to replace that RSA token so that employees don’t need to carry multiple tokens everyday.
Assurity is speaking to the banks and other companies currently and some of the banks are testing out the OneKey system. But none of the banks have confirmed (nor denied) that they will be using OneKey. We do know that DBS is in the process of rolling out their own password tokens.
I guess some banks will not be interested in joining OneKey because of 2 issues. Firstly, the OneKey is a generic token and the banks can’t have their own branding on it. (some marketers and branding folks thinks that it is important to have their brand logo all over the place) Another problem is the cost of using OneKey. In short term, OneKey is cheaper to deploy. But if you have a lot of customers who will be making lots of transactions, then it might be more cost effective if you have your own system in the long run. Assurity currently charges 5 cents for every transaction. This wouldn’t be a problem for banks who are currently using SMS as their 2FA authentication.
By end of this year, all the banks in Singapore need to switch to a password token which allows Transaction Signing. We still don’t know if the banks are rolling out their own password token or joining OneKey. I guess we will find out by end of the year. For consumers, it will be much more convenient if all the banks join OneKey so that we don’t need to carry multiple tokens with us all the time.
For me, I’m never a fan of 2FA. But we have no choice since the government is regulating all banks to use 2FA for online banking login. Since we have no choice, I would rather just carry one token than multiple tokens. Which is why I wish all the banks in Singapore will use OneKey so that it would be much more convenient for everyone.
