Singapore strengthens digital ID’s security with new passkeys authentication

With the rise of phishing scams, passkeys protect users by working only on legitimate Singpass’ login domains, and use a short-range Bluetooth check to confirm the user’s proximity to the device.

From July 1, Singpass users on iPhone (iOS) systems can update their Singpass mobile app to create and start using passkeys to better secure their national digital identity. Image: GovTech Singapore

From July 1, Singpass users on iPhone (iOS) systems can update their Singpass mobile app to create and start using passkeys to better secure their national digital identity. 

 

Singpass passkeys would be extended to Android users and desktop devices in subsequent phases. 

 

Passkeys add to existing authentication methods for Singpass, including SMS one-time passwords (OTP), QR code login, and face verification. 

 

Singpass is Singapore’s national digital ID that allows residents to log into over 2,700 digital services across both the public and private sectors. It facilitates about 41 million transactions per month. 

 

According to Government Technology Agency of Singapore’s (GovTech Singapore), passkeys provide a stronger protection against phishing and are as user-friendly.  

 

They allow users to log onto websites and digital services without using a password and have been widely adopted in consumer and enterprise settings. 

 

Unlike passkeys offered by many commercial digital services which can sync across a user's devices through cloud storage, Singpass passkeys are tied to a single device only and do not sync via the cloud. 

 

According to GovTech, Singpass passkeys work as a matching pair: A private key stored securely on the user's device, and a public key stored in the Singpass system.  

 

When a user logs in, Singpass checks that the two keys match before allowing access. The matching process also only works on a legitimate website.  

How passkeys tackle phishing 

 

Conventional authentication methods like passwords can be stolen, and QR codes can be used by scammers to mislead users into scanning to gain unauthorised access remotely. 

 

In the case of Singpass passkeys, users do not need to send or enter any credentials like passwords or OTPs during the login process, which significantly reduces the risk of credential theft. 

 

This means scammers cannot phish for information remotely, and users cannot be tricked into authenticating on fake websites. 

 

Passkeys only work on legitimate government websites and private sector services integrated with Singpass. 

 

For example, if a scammer sends a fake website link and the user clicks on it, attempting to log in with a passkey will trigger a notification from Singpass that the passkey does not work on this site.  

 

Without access to Singpass, the scammer cannot obtain the user’s key information needed to carry out the scam. 

 

Passkeys also include an additional safeguard to prevent remote attacks, which is a Bluetooth-based proximity check that runs when a user logs into a service on another device. 

 

This ensures that the passkey is only used to authenticate a nearby device. 

 

According to 2025 statistics from the Singapore Police Force (SPF), phishing scams resulted in financial losses of around S$39.9 million, making phishing the second most common type of scam that year. 

Citizens and businesses encouraged to onboard passkeys 

 

“Stronger phishing-resistant authentication methods such as passkeys can significantly reduce the risk of attackers exploiting stolen login credentials, while offering users a simpler and more seamless login experience,” said Cyber Security Agency of Singapore (CSA)’s Deputy Chief Executive (Development), Lee Shih Yen, in the statement. 

 

He added that for organisations, implementing passkeys as a software-based solution offers more efficient and secure authentication practice.  

 

As Singpass passkeys is currently in its beta phase, GovTech is seeking feedback from users via the contact form on the Singpass website or through the mobile app settings. 

 

Users who need help to onboard Singpass passkeys can also approach the Singpass counter at community centres or ServiceSG centres across Singapore. 

 

Existing authentication methods remain available on Singpass to ensure continued access to services.  

 

As the Singpass passkeys are device-bound, they are automatically deactivated once a user sets up Singpass on another device, ensuring users retain full control over their digital ID.