Eida

For as long as I can remember, NRIC numbers in Singapore have been treated as personal identification numbers, protected under layers of privacy regulations outlined by the Personal Data Protection Act (PDPA). Since 1 September 2019, strict rules have governed how organisations collect, use, and disclose NRIC numbers. Public campaigns and educational materials have consistently reminded us: do not share your NRIC unless absolutely necessary.

However, the recent unmasking of NRIC numbers on the Bizfile portal by the Accounting and Corporate Regulatory Authority (ACRA) has sparked confusion and anger among many. This change, driven by the Ministry of Digital Development and Information (MDDI), was intended to reframe NRIC numbers as unique identifiers akin to names—important, but not inherently sensitive. The reasoning aligns with global advancements in cybersecurity intelligence, recognising that NRICs should no longer be treated as confidential or used for authentication.

While I understand the government’s rationale, this sudden change has left many Singaporeans unsettled. Conversations I’ve had with others reveal two common sentiments: confusion and anger. Many feel unprepared for this shift in policy. It reminds me of my initial disbelief upon learning that aged fish is often tastier than fresh fish in sashimi.

For years, I believed the fresher the fish, the better the sushi. It was only when I experienced aged fish for myself that I realised the science and artistry behind the tradition. Tuna aged for several days can deepen its umami, and certain white fish like flounder develop a richer texture through careful curing. What seemed counterintuitive at first made perfect sense after I tasted it. Likewise, the NRIC debate stems from a similar disconnect—people are clinging to an outdated notion of security because the logic behind the change hasn’t been properly communicated or experienced.

This brings me to a saying I’ve always held dear: “Tell me, and I forget. Teach me, and I remember. Involve me, and I learn.” So far, the government has largely tried to tell us that NRICs are not confidential and should not be used for authentication. But telling isn’t enough.

Identification vs. Authentication

The key issue lies in distinguishing identification from authentication:

• Identification refers to the process of stating who someone is, such as using an NRIC number to confirm a person’s identity. Identification is a straightforward method but lacks security, as it does not verify whether the person presenting the identifier is genuinely who they claim to be. This limitation has been highlighted by cybersecurity experts and reports from Channel News Asia and the South China Morning Post, which argue that relying solely on NRIC numbers exposes individuals to potential fraud.
• Authentication, on the other hand, is about proving that an individual is who they claim to be. According to experts cited in Singapore Law Watch, authentication often requires additional security measures, such as passwords, one-time codes, or biometric data. These measures provide a higher level of assurance by verifying not just identity but legitimacy.

The distinction between these two functions is critical as Singapore moves towards phasing out NRIC numbers as authentication tools. Reports from Channel News Asia further emphasise that the traditional dual use of NRIC numbers for both identification and authentication is outdated and insufficient in an era of increasing cybersecurity threats. Instead, there is a growing emphasis on adopting more robust methods, such as multi-factor authentication (MFA) and biometric verification.

Advantages of Modern Authentication Methods

Modern authentication methods have far surpassed NRIC-based verification in terms of security and reliability:

1. Two-Factor Authentication (2FA):
   This method requires users to provide two distinct forms of identification before access is granted. For example, combining something the user knows (like a password) with something they have (like a mobile device for receiving a one-time code) significantly enhances security.
2. Biometric Authentication:
   Techniques such as fingerprint scanning, facial recognition, and voice recognition leverage unique physical characteristics of individuals. These methods are inherently more secure because they cannot be easily replicated or stolen compared to static identifiers like NRIC numbers.

These methods reflect the shift towards a more robust framework for verifying identity in an increasingly digital world.

What Could Help?

Here’s my take on what could make this transition smoother for everyone:

1. Move Beyond Single-Factor Authentication (1FA)
   • The government’s stance against using NRICs for authentication is valid, but we need robust alternatives like multi-factor authentication (MFA).
   • Authentication should rely on at least two factors from different categories:
     • Something you know: Passwords or PINs.
     • Something you have: Cryptographic tokens or smart cards.
     • Something you are: Biometric verification (e.g., fingerprints or facial recognition).
   • Even if someone has my NRIC number, it should be useless without another form of verification, such as biometric data.
2. Involve the Public in Policymaking
   • Policies, especially concerning cybersecurity, shouldn’t be made in isolation. By involving the public through focus groups, consultations, or even pilot studies, the government can foster trust and make citizens feel like partners in this fight against cyber threats.
3. Education Through Experience
   • Just as I learned to appreciate aged fish after tasting it, Singaporeans need experiential learning to understand this shift. Workshops, simulations, or interactive demonstrations could help people grasp why NRICs are no longer suitable for authentication.

My Thoughts and Yours

I believe the move to treat NRIC numbers as identifiers rather than authentication tools is a necessary step forward in today’s cybersecurity landscape. But this shift requires more than policy changes—it demands better communication, education, and public involvement.

The lesson I learned from aged fish in sushi is that understanding requires experience and context. The same applies here: the government must not only communicate the what of these changes but also the why through hands-on engagement.

That said, this is just my perspective. I’d love to hear what you think. Are you confused or concerned about this change? Do you see value in the government’s approach? Or do you have alternative ideas that could make this transition easier?

Let’s start a conversation. Together, we can adapt to these changes while preserving the trust and understanding that bind us as a society.