Digital identity and Singpass: what IAM teams should watch

TL;DR: Singapore’s Singpass shows how a national digital identity can support 97% penetration and more than 350 million annual transactions, but the same ecosystem still faces phishing, smishing, and credential abuse that attackers exploit at scale, according to 1Kosmos. The lesson is that digital identity only holds when proofing, authentication, and data-sharing limits are designed to survive real-world fraud and privacy pressure.

NHIMG editorial — based on content published by 1Kosmos: Singapore’s digital identity model, Singpass, and decentralized wallets

By the numbers:

• Singpass has 97% penetration among Singapore’s roughly 5.6 million citizens.
• Singpass facilitates more than 350 million transactions annually.

Questions worth separating out

Q: How should organisations reduce fraud risk in digital identity programmes?

A: Organisations should treat fraud resistance as part of identity assurance, not as a separate afterthought.

Q: Why does selective disclosure matter in identity architecture?

A: Selective disclosure matters because most relying parties do not need a full identity record to complete a transaction.

Q: What breaks when identity systems rely too heavily on passwords and basic MFA?

A: Passwords and basic MFA can still fail when attackers control the device, the session, or the user’s context through phishing or social engineering.

Practitioner guidance

• Strengthen proofing and recovery governance Review how identities are recovered, revalidated, and re-issued after compromise because that path often becomes the weakest point in a trusted digital identity model.
• Add fraud controls to identity programmes Connect authentication telemetry to fraud detection, device trust, and session monitoring so that a valid login does not automatically equal legitimate intent.
• Reduce attribute release by design Limit each relying party to the minimum identity attributes needed for the transaction and track where those attributes are stored, reused, or retained.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The full discussion of Singpass adoption, transaction volume, and digital identity adoption patterns in Singapore.
• The article’s explanation of how MyInfo, API-based data sharing, and federated identity reduce application friction.
• The detailed comparison between centralised federated models and decentralised identifier based wallets.
• The author’s specific standards references, including the biometric assurance and liveness considerations behind wallet design.

👉 Read 1Kosmos’s analysis of Singapore’s digital identity model and decentralized wallets →

Digital identity and Singpass: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →