Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Digital identity and Singpass: what IAM teams should watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Singapore’s Singpass shows how a national digital identity can support 97% penetration and more than 350 million annual transactions, but the same ecosystem still faces phishing, smishing, and credential abuse that attackers exploit at scale, according to 1Kosmos. The lesson is that digital identity only holds when proofing, authentication, and data-sharing limits are designed to survive real-world fraud and privacy pressure.

NHIMG editorial — based on content published by 1Kosmos: Singapore’s digital identity model, Singpass, and decentralized wallets

By the numbers:

Questions worth separating out

Q: How should organisations reduce fraud risk in digital identity programmes?

A: Organisations should treat fraud resistance as part of identity assurance, not as a separate afterthought.

Q: Why does selective disclosure matter in identity architecture?

A: Selective disclosure matters because most relying parties do not need a full identity record to complete a transaction.

Q: What breaks when identity systems rely too heavily on passwords and basic MFA?

A: Passwords and basic MFA can still fail when attackers control the device, the session, or the user’s context through phishing or social engineering.

Practitioner guidance

  • Strengthen proofing and recovery governance Review how identities are recovered, revalidated, and re-issued after compromise because that path often becomes the weakest point in a trusted digital identity model.
  • Add fraud controls to identity programmes Connect authentication telemetry to fraud detection, device trust, and session monitoring so that a valid login does not automatically equal legitimate intent.
  • Reduce attribute release by design Limit each relying party to the minimum identity attributes needed for the transaction and track where those attributes are stored, reused, or retained.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

  • The full discussion of Singpass adoption, transaction volume, and digital identity adoption patterns in Singapore.
  • The article’s explanation of how MyInfo, API-based data sharing, and federated identity reduce application friction.
  • The detailed comparison between centralised federated models and decentralised identifier based wallets.
  • The author’s specific standards references, including the biometric assurance and liveness considerations behind wallet design.

👉 Read 1Kosmos’s analysis of Singapore’s digital identity model and decentralized wallets →

Digital identity and Singpass: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Human digital identity is now a fraud control problem, not just an access control problem. The article shows that Singpass succeeds because it enables trusted transactions at scale, but the same trust model becomes a target when phishing, smishing, and credential reuse enter the path. That means identity assurance must be judged by whether it resists abuse after enrolment, not only by how cleanly it authenticates at sign-in. Practitioners should treat fraud resistance as part of identity governance, not a separate layer.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who should be accountable for identity assurance in digital wallet models?

A: Accountability should sit with the programme owners who decide what attributes are shared, how long they persist, and which assurance standards apply. Wallet models do not remove governance, they shift it to data minimisation, anti-spoofing validation, relying-party trust, and recovery controls. That makes identity assurance a cross-functional security and privacy responsibility.

👉 Read our full editorial: Singapore’s digital identity model shows where trust still breaks



   
ReplyQuote
Share: