Introduction
Following a January 2025 statement that organisations should stop using National Registration Identity Card (NRIC) numbers as passwords and other authentication methods, the Personal Data Protection Commission and the Cyber Security Agency of Singapore issued a joint advisory on 26 June 2025 (the Advisory) aimed at eliminating the widespread practice of relying on NRIC numbers as passwords or default credentials. The practice was drawn into the spotlight after a new online portal launched by the company registrar in December 2024 briefly made names and full NRIC numbers easily searchable by members of the public.
Authentication is not identification
The Advisory clarifies that authentication is the process of proving a person’s identity before granting access to services or information intended only for that individual. On the other hand, identification is merely the process of using identifiers such as names to tell people apart. The NRIC number is an identifier rather than an authenticator because NRIC numbers may be known to others.
The Advisory noted that many entities still use NRIC numbers, sometimes combined with easily obtainable data like dates of birth, as default passwords for online portals and encrypted documents. This authentication practice has been observed in sectors such as insurance, finance and health care.
This practice is risky because NRIC numbers are often disclosed to employers, educational institutions and service providers. A malicious actor with access to these numbers may use them for identity theft. This could lead to affected users losing access to their accounts or even having key information, such as their residential address or bank account details, replaced without their knowledge.
Authentication measures
The Advisory requires organisations to adopt stronger authentication measures determined using a risk-based approach. Where the information being protected is particularly sensitive and there are many potential threats, organisations should use a stronger authentication method. Strong authentication options include 1) something only the person knows (e.g., strong passwords), 2) something only the person owns (e.g., security tokens) and 3) something only the person has (e.g., fingerprints). Multi-factor authentication, combining at least two of these categories, should be implemented where feasible to reduce the likelihood of a breach.
Conclusion
Organisations should immediately review their authentication processes to cease usage of NRIC-based passwords. Next, internal policies and employee training should be updated to stop the use of NRICs for authentication. Organisations should look out for upcoming sector-specific guidelines developed in collaboration with the Singapore Ministry of Digital Development and Information to ensure they comply with any additional requirements.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2025-169