top of page
Search

NRIC Numbers Should Not Be Used for Authentication


The Business Times recently reported on a new advisory jointly issued by Singapore’s Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA). The advisory strongly recommends that organisations in the private sector stop using NRIC numbers, whether full or partial, for authentication purposes.


As part of their coverage, The Business Times invited Red Alpha Cybersecurity to share our perspective, given our focus on cybersecurity training, advisory, and policy awareness.


Why This Advisory Matters

For years, NRIC numbers have been used by businesses to verify customer identity over phone calls, online platforms, and even in person. However, cybersecurity experts have raised concerns that NRICs, which are static and often exposed in past data breaches, are not meant to serve as secure credentials.


The new advisory urges organisations to shift away from NRIC-based checks and instead adopt more secure forms of authentication, such as passwords, multi factor authentication, hardware tokens, or biometrics.


Tzer Yeu Pang on Why This Change Is Necessary

Our Chief Information Security Officer in Residence, Tzer Yeu Pang, commented in the article:

“Static identifiers like NRICs were never designed to be secure credentials. In today’s cybersecurity landscape, where data breaches are rising and identity theft is a real threat, the risks of continuing such practices are no longer acceptable. This advisory is long overdue and it signals a crucial step toward strengthening digital trust, reducing attack surfaces, and fostering safer authentication across our digital ecosystem.”

His views reflect Red Alpha’s belief that modern security starts with strong identity practices and up to date awareness across teams and systems.


What Companies Should Do Next

With the advisory in place, private organisations are encouraged to:

  • Stop using NRIC numbers for identity verification

  • Review internal systems and customer journeys where NRICs are still being used

  • Adopt modern authentication solutions such as biometrics or one time passwords

  • Train staff to follow updated verification methods and reduce reliance on personal identifiers

  • Communicate the shift clearly to customers to ensure understanding and transparency


Supporting a More Secure Digital Ecosystem

At Red Alpha, we support this step by PDPC and CSA to strengthen digital trust and reduce cyber risk. This move reflects Singapore’s growing commitment to modernise cybersecurity across sectors.


We thank The Business Times for inviting us to contribute to this important conversation. You can read the full article here:

Long overdue: Experts welcome advisory against private sector use of NRIC numbers for authentication

 
 
 

コメント

bottom of page