Singpass to roll out passkeys in fight against phishing scams

A passkey feature for Singpass, Singapore’s national digital identity platform, will go live on 1 July, providing users with a faster and more secure way to log into digital services as phishing scams become more prevalent.

The beta launch will first be available to iPhone users who check in to the Singpass mobile app, with support for Android users and desktop browser logins to follow in later phases. Current authentication methods, such as QR code login, facial verification for high-risk transactions and SMS one-time passwords, will remain in place.

Computer Weekly understands there are no plans at present to extend passkey support to Fido2-compliant hardware security tokens. But the Government Technology Agency, which operates Singpass, is expected to continue exploring new security techniques to address emerging vulnerabilities, leaving the door open for future integration.

Passkeys have become the gold standard for online security and are widely used across digital platforms. They offer a passwordless experience that prevents credential theft by replacing passwords with cryptographic keys, where a successful login can only occur when a user’s private key perfectly matches with a public key held by a digital platform like Google or Facebook.

However, the Singpass implementation differs from most cloud-based passkey models adopted by commercial tech suppliers, addressing security issues about cloud infrastructure.

Google’s implementation of passkeys, for instance, uses a cloud-based component that enables synced passkeys across devices using passkey applications like Google Password Manager. While this makes it convenient for account recovery and device onboarding, it also increases security risks if the user’s cloud account is breached.

To avoid these risks, Singpass uses a tight, device-bound model. The passkey is tied solely to the user’s trusted smartphone, with the Singpass app acting as the dedicated credential manager. This deliberate design prevents the passkey from being shared, transmitted or leaked via the cloud. It also means the platform can revoke access if an account is flagged as compromised.

There’s also a clever safeguard to thwart remote takeovers by overseas scammers. For cross-device logins, such as using a smartphone to log in to a portal on a laptop, a short-range Bluetooth check will be triggered to ensure the user’s phone is physically close to the computer before access is granted.

Eligible users with notifications enabled will receive a push alert through the Singpass app once the feature hits their device. Getting started is simple: users just need to update the app to the latest version, tap a banner on the home screen, and follow the prompts to enable autofill.

Once activated, users can choose the passkey option on the Singpass login page and verify their identity using their device’s built-in biometrics, such as facial recognition or a fingerprint scan, or their six-digit Singpass app passcode.

These baseline biometric locks and device passcodes safeguard the user’s digital identity in the case of a smartphone loss or theft. As soon as the user creates their Singpass account on a replacement phone with the Singpass app, the passkey on the lost device is promptly cancelled.

Passkeys are the newest evolution for Singpass, which was first launched over two decades ago in 2003. The platform has kept pace with the evolution of authentication methods – such as introducing SMS one-time passwords in 2015, QR code logins in 2018 and face verification in 2022 – to fend off growing threats such as phishing, which was the second most common type of scam in Singapore in 2025.

Today, Singpass has become part of everyday life in Singapore. It serves as a gateway to the country’s digital economy, with more than 4.5 million monthly active app users who perform over 41 million transactions each month across 2,700 government and private sector services.