Reed Smith Client Alerts

Key takeaways

  • Organisations in Singapore must cease using full or partial NRIC numbers for authentication
  • NRIC numbers may be used for identification but not authentication as the numbers are vulnerable to impersonation
  • Organisations are expected to adopt strong risk-based authentication solutions including multi-factor authentication

Authors: Bryan Tan Eng Han Goh (Resource Law LLC)

Introduction

Following a January 2025 statement that organisations should stop using National Registration Identity Card (NRIC) numbers as passwords and other authentication methods, the Personal Data Protection Commission and the Cyber Security Agency of Singapore issued a joint advisory on 26 June 2025 (the Advisory) aimed at eliminating the widespread practice of relying on NRIC numbers as passwords or default credentials. The practice was drawn into the spotlight after a new online portal launched by the company registrar in December 2024 briefly made names and full NRIC numbers easily searchable by members of the public.