To realise the vision of the Infocomm Development Authority of Singapore's (IDA) iN2015 masterplan, a secure and trusted enabling infocomm infrastructure is needed to facilitate the delivery of online services offered by the public and private sectors. The National Authentication Framework (NAF), spearheaded by IDA, with support from the Monetary Authority of Singapore and the Ministry of Finance, will be a nationwide platform where consumers can benefit from:
- A consistent experience in using strong authentication to access key online services (e.g. In Government, Finance, Healthcare).
- A more rigorous process of verifying online identities.
Envisioned as a key economic platform, NAF will help generate greater growth opportunities for businesses and entrench Singapore's status as a trusted infocomm hub.
Authentication is a process of validating a person's identity for security purposes. There are three recognised factors of authenticating individuals: "Something you know", such as a password or PIN, "Something you have", such as a hardware security token, and "Something you are", such as a finger print, a retina scan or other biometric features. A system is said to use strong authentication when it requires at least two of the three factors before access to the system is granted. This contrasts with traditional single-factor authentication which requires only one authentication factor (normally the knowledge of a password) in order to gain access to a system.
Two-Factor Authentication (2FA): This is currently available as a more rigorous process of validating identities. A popular second-factor authentication method that many banks are offering to their online consumers today is a 'One-Time Password' or OTP. When a user accesses an online service, in addition to using a User-ID and Password, the user would be required to enter an additional "second factor password", which is generated on demand. The dynamically-generated "second factor password" could be delivered through a token (hardware or software) or via a Short Message Service (SMS). Other types of authentication methods include certificates and biometrics.
Service providers are today deploying their own two-factor authentication infrastructures. As a result, an authentication device or method tends to be proprietary and can only be used to access specific online services.
A Nationwide Deployment 2FA: When the National Authentication Framework (NAF) is implemented, online service providers such as government agencies and financial institutions will be able to outsource their second-factor authentication infrastructure to trusted third parties (also known as the Authentication Operators or AOs).
AOs are free to offer multiple authentication devices and methods, depending on market needs. Consumers can hold more than one authentication device (e.g. a security token or an SMS OTP). However, regardless of the device a consumer chooses to use, that chosen device can be used to access multiple online e-services that require strong authentication. Consumers can thus benefit from the enhanced security of strong authentication without the inconvenience of having to carry multiple devices.
The objective of this Call-For-Collaboration (CFC) is to catalyse the deployment of NAF by seeking industry partners to operate as Authentication Operators.
| 17 June 2008 (Tuesday) |
Announcement of NAF CFC during imbX 2008 |
| 13 October 2008 (Monday) |
NAF CFC opens |
| 15 October 2008 (Wednesday) |
NAF Public Briefing |
| 12 December 2008 (Friday) |
NAF CFC closes |
| 1H 2009 |
Expected CFC Award |
A public briefing was held on 15 October 2008 where IDA shared with industry partners on the important details of the NAF CFC. The presentation slides and the list of companies interested in the NAF CFC can be downloaded below.
Note: The following documents contains confidential information and must not be used, reproduced or distributed in any form or by any means whatsoever without first obtaining the relevant owners' prior written permission. Unauthorised use, reproduction or distribution of any part of this document is prohibited and may attract legal action.
- Annex C-1 : SingPass Interface Specifications for Two-Factor Authentication
- Annex D-2 : SOEasy NAF Requirements
Companies which would like to receive a copy of the Annex C-1 and Annex D-2 are required to sign a Non-Disclosure Agreement with the relevant owners. Please email to IDA to request for a Non-Disclosure Agreement (NDA) at IDA_NAF@ida.gov.sg. Companies are required to sign the NDA and mail the original copy to IDA. Upon receiving the signed copy of the NDA, IDA will send the documents to the requesting company.
Please submit four (4) hardcopies and one (1) softcopy (in a CD-ROM) of the project proposal, which should reach IDA no later than 12 December 2008 at 12:00 pm. All proposals must be clearly marked as "NAF CALL-FOR-COLLABORATION", and delivered to:
Infocomm Development Authority of Singapore
8 Temasek Boulevard
Suntec Tower Three, #14-00
Singapore 038988
Late submissions will not be entertained.
If you have any enquiries, please send them to IDA_NAF@ida.gov.sg.