Overview
- GovTech announced on Tuesday that Singpass will begin a beta rollout of passkey logins for iPhone users from Wednesday, July 1, with Android and desktop support to follow in later phases.
- Singpass uses a device-bound model that stores the private passkey only on the user’s phone rather than syncing it to the cloud, a design meant to lower the chance of mass credential exposure from cloud breaches.
- For cross-device logins, the system will trigger a short-range Bluetooth proximity check to ensure the phone with the stored passkey is physically near the computer before granting access.
- Users who opt in will be notified by a push banner in the Singpass app, enable passkeys through the app, and authenticate with device biometrics or the app’s six-digit passcode while existing QR, face verification and SMS OTP options remain available.
- The change responds to rising phishing losses — nearly S$40 million last year — and affects millions of users because Singpass handles millions of monthly transactions across thousands of government and private services, creating a trade-off between extra security and some convenience lost from not using cloud-synced recovery.