{"id":65322,"date":"2026-07-01T19:50:50","date_gmt":"2026-07-01T11:50:50","guid":{"rendered":"https:\/\/sgbuzz.com\/?p=65322"},"modified":"2026-07-01T19:50:50","modified_gmt":"2026-07-01T11:50:50","slug":"singpass-passkey-your-digital-key-against-phishing","status":"publish","type":"post","link":"https:\/\/sgbuzz.com\/?p=65322","title":{"rendered":"Singpass passkey: Your digital key against phishing"},"content":{"rendered":"<p><br \/>\n<\/p>\n<div xmlns:default=\"http:\/\/www.w3.org\/2000\/svg\">\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">A new mode of authentication will be available to\u00a0Singpass\u00a0users from July 1 as part of ongoing efforts to foil\u00a0phishing scams that have\u00a0led to millions in losses.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Singpass\u2019 new passkey feature ensures that access is granted to legitimate websites only, and cannot be shared or exploited, unlike passwords or QR codes.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">The new authentication feature works through a unique pair of encryption keys \u2013 one residing on the user\u2019s phone and the other on Singpass\u2019 backend server \u2013 for every website that is integrated with the national authentication system.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">This also paves the way for a password-free future.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">\u201cAs passkeys are bound to the legitimate Singpass login domain, they cannot be used on fake websites,\u201d the Government Technology Agency of Singapore (GovTech) said in a statement on July 1.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">\u201cThey will only work with Singpass logins on real government websites and private sector services integrated with Singpass, protecting users against phishing scams.\u201d<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">GovTech is the agency that operates Singpass, which supports\u00a05.5 million users and is integrated with over 1,400 government agencies and private sector services.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">They include digital health portal HealthHub, the Inland Revenue Authority of Singapore\u2019s tax portal, the Central Provident Fund Board, DBS Bank and Singtel.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">A one-time registration is required to activate the passkey feature. iPhone users will be the first\u00a0to be able to do so through their Singpass app from 10am on July 1. The feature will be rolled out\u00a0to Android phone users later.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Laptops and desktops currently do not support Singpass passkey. But GovTech is working to enable such support across all web browsers so Singapore residents can use the passkeys residing on their phones to unlock access on computers.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">All existing authentication methods will still work even with the roll-out of passkeys.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Currently, users tap or scan a QR code on their Singpass app and complete the authentication by scanning their face or fingerprint, or entering a six-digit passcode. A set of static and one-time passwords can also be entered on the Singpass website to gain access.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">\u201c(These) methods will remain available to ensure continued access to services,\u201d said the agency.<\/p>\n<figure class=\"_figure_wioo3_1\"><img decoding=\"async\" class=\"_base_12j3k_1\" alt=\"How Passkeys Work\" loading=\"lazy\" sizes=\"auto\" width=\"640\" height=\"1140\" srcset=\"https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/9756868834449a26a61f2ada1320d747bc5edc4925e656279453757ca39c3670?w=320&amp;q=85 320w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/9756868834449a26a61f2ada1320d747bc5edc4925e656279453757ca39c3670?w=520&amp;q=85 520w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/9756868834449a26a61f2ada1320d747bc5edc4925e656279453757ca39c3670?w=640&amp;q=85 640w\" src=\"https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/9756868834449a26a61f2ada1320d747bc5edc4925e656279453757ca39c3670?w=640&amp;q=85\" style=\"--custom-aspect-ratio:0.5614035087719298;contain-intrinsic-size:640px 1140px\"\/><figcaption class=\"_figureCaptions_wioo3_158\">\n<p>Photo: The Straits Times<\/p>\n<\/figcaption><\/figure>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Keeping existing authentication methods ensures that Singpass logins on computers and Android phones will not be disrupted.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">But this also means that scammers can still exploit social engineering tactics to dupe unsuspecting victims, including those who have registered their Singpass passkey on their iPhones.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">GovTech\u00a0said: \u201cNo authentication method is entirely foolproof against this kind of manipulation, which is why additional safeguards such as facial verification are layered in for higher-risk or suspicious activities to provide an added layer of protection.\u201d<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">To register to use passkey authentication, iPhone users need to update their Singpass app and click on the \u201ccreate passkey\u201d banner in the app. The app will prompt users to turn on autofill in the phone settings, after which the Singpass passkeys will be created.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Once the pair of unique passkeys are registered with Singpass, users log in to all websites that accept Singpass verification by scanning their face or fingerprint in their Singpass app. Users who have not set up biometric authentication can enter their six-digit passcode in the app.<\/p>\n<figure class=\"_figure_wioo3_1\"><img decoding=\"async\" class=\"_base_12j3k_1\" alt=\"How to log in using passkey\" loading=\"lazy\" sizes=\"auto\" width=\"2000\" height=\"1253\" srcset=\"https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/d08718fe5aa3e6f5f1999f233459469525f832072c989a07da39e1debdfeba1b?w=330&amp;q=85 330w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/d08718fe5aa3e6f5f1999f233459469525f832072c989a07da39e1debdfeba1b?w=530&amp;q=85 530w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/d08718fe5aa3e6f5f1999f233459469525f832072c989a07da39e1debdfeba1b?w=660&amp;q=85 660w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/d08718fe5aa3e6f5f1999f233459469525f832072c989a07da39e1debdfeba1b?w=1320&amp;q=85 1320w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/d08718fe5aa3e6f5f1999f233459469525f832072c989a07da39e1debdfeba1b?w=1980&amp;q=85 1980w\" src=\"https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/d08718fe5aa3e6f5f1999f233459469525f832072c989a07da39e1debdfeba1b?w=660&amp;q=85\" style=\"--custom-aspect-ratio:1.596169193934557;contain-intrinsic-size:2000px 1253px\"\/><figcaption class=\"_figureCaptions_wioo3_158\">\n<p>Photo: The Straits Times<\/p>\n<\/figcaption><\/figure>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Singpass\u2019 backend system will verify the private key stored on a user\u2019s device against the public key registered in the system to validate every login.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Users need not register separate pairs of encryption passkeys for every website.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Registered passkey users can also log in from a different iPhone, which will display a QR code for tapping.\u00a0The user\u2019s phone with the stored passkey will need to be nearby so that a proximity check via Bluetooth connection can be conducted for the login to be successful.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">A scammer attempting a remote Singpass login will likely not have the user\u2019s phone with the stored passkey nearby. This is how phishing attempts are foiled.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">In future, laptop and desktop logins will also be protected in the same way with Singpass passkey support on these devices.<\/p>\n<figure class=\"_figure_wioo3_1\"><img decoding=\"async\" class=\"_base_12j3k_1\" alt=\"Passkeys how scams thwarted\" loading=\"lazy\" sizes=\"auto\" width=\"2000\" height=\"1272\" srcset=\"https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/388e2027cfedc3d890d181a2cdc55826c4cbcd79524cec7d43807497e4e127bd?w=330&amp;q=85 330w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/388e2027cfedc3d890d181a2cdc55826c4cbcd79524cec7d43807497e4e127bd?w=530&amp;q=85 530w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/388e2027cfedc3d890d181a2cdc55826c4cbcd79524cec7d43807497e4e127bd?w=660&amp;q=85 660w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/388e2027cfedc3d890d181a2cdc55826c4cbcd79524cec7d43807497e4e127bd?w=1320&amp;q=85 1320w,https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/388e2027cfedc3d890d181a2cdc55826c4cbcd79524cec7d43807497e4e127bd?w=1980&amp;q=85 1980w\" src=\"https:\/\/cassette.sphdigital.com.sg\/image\/hardwarezone\/388e2027cfedc3d890d181a2cdc55826c4cbcd79524cec7d43807497e4e127bd?w=660&amp;q=85\" style=\"--custom-aspect-ratio:1.5723270440251573;contain-intrinsic-size:2000px 1272px\"\/><figcaption class=\"_figureCaptions_wioo3_158\">\n<p>Photo: The Straits Times<\/p>\n<\/figcaption><\/figure>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Causing losses nearing $40 million in 2025,\u00a0phishing scams were the second-most common scam type locally in 2025 after e-commerce scams.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Locally reported cases of past phishing scams include scammers creating a spoofed Singpass login page, where victims were prompted to enter their Singpass ID, password and one-time password.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">The cases involved fraudulent job offers on messaging platforms requiring victims to scan a fake Singpass QR code to retrieve their profiles on the pretext of background screening. Victims who authorised the profile retrieval would later realise the authentication was used to open a bank account under their name.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">\u201cPasskeys offer more secure authentication than passwords, which can be stolen, and conventional QR codes, which scammers can mislead users into scanning,\u201d said GovTech.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Authentication via passkeys will prevent unauthorised access\u00a0through fake websites, the agency added.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Singpass passkeys comply with open standards developed by the Fast IDentity Online (Fido) Alliance, an industry association comprising over 250 members. They include tech firms such as Microsoft, Google and Apple, as well as government bodies in Australia, the United Kingdom and the United States.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Many online services, including those from Apple, Google, Microsoft and Adobe, already offer Fido passkey authentication, in addition to traditional passwords and two-factor authentication.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Tech firms such as Google and Microsoft have also moved away from using passwords for their employees\u2019 sign-ins, using Fido passkeys instead, to better protect them from phishing attacks.\u00a0<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Users who need help setting up passkeys can call the Singpass helpdesk on 6335-3533. They can also visit a ServiceSG counter or a Singpass counter located in community centres or clubs.<\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\"><b><i>Note: <\/i><\/b><i>This article was written by Sarah Koh and first appeared in The Straits Times on 30 June 2026.<\/i><\/p>\n<p class=\"_base_1s8rd_1 _default_1s8rd_12\">Source: The Straits Times<\/p>\n<\/div>\n<p><br \/>\n<center><br \/>\n<br \/><a href=\"https:\/\/www.hardwarezone.com.sg\/lifestyle\/apps\/singpass-passkey-support-security-anti-phishing\" target=\"_blank\" rel=\"noopener\">Read Full Article At Source <\/a><br \/>\n<center\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new mode of authentication will be available to\u00a0Singpass\u00a0users from July 1 as part of ongoing efforts to foil\u00a0phishing scams that have\u00a0led to millions in&#8230;<\/p>\n","protected":false},"author":1,"featured_media":65323,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","footnotes":""},"categories":[32],"tags":[1238,1623,25710,4911,25709],"class_list":["post-65322","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech-gadgets-reviews","tag-digital","tag-key","tag-passkey","tag-phishing","tag-singpass","wpcat-32-id"],"_links":{"self":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/posts\/65322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=65322"}],"version-history":[{"count":0,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/posts\/65322\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/media\/65323"}],"wp:attachment":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=65322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=65322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=65322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}