TL;DR: Singpass’s 2026 passkey rollout uses device-bound WebAuthn keys inside the app, not synced cloud wallets, which changes credential control, recovery, and phishing resistance for a national identity system used in 4.5 million monthly app users and 41 million monthly transactions, according to Authsignal. The governance lesson is that sync convenience weakens accountability when the issuer needs revocation, locality, and tighter control over the credential lifecycle.
NHIMG editorial — based on content published by Authsignal: Why Singpass built its own passkey manager instead of using iCloud Keychain
By the numbers:
- Singpass has more than 4.5 million monthly active app users running over 41 million transactions a month across roughly 2,700 government and private sector services.
- Phishing was the second most common scam type in Singapore in 2025, with reported losses of around S$39.9 million, and several of those scams used fake Singpass pages or QR flows.
Questions worth separating out
Q: How should security teams decide where to use syncable passkeys versus device-bound keys?
A: Use syncable passkeys where usability and scale matter most, but keep device-bound keys for privileged access, regulated workflows, and any application where the organisation must preserve a stronger device-to-credential binding.
Q: Why do passkeys reduce phishing risk compared with passwords?
A: Passkeys are bound to the original website and use cryptographic proof instead of a reusable secret.
Q: What do teams get wrong about passkey security?
A: Teams often assume passkeys are either perfect or too risky to adopt.
Practitioner guidance
- Map credential custody boundaries Document whether passkeys are synced, device-bound, or issuer-managed, and tie each model to its recovery and revocation workflow.
- Review federation assumptions at the IdP layer For downstream applications, confirm whether authentication assurance is enforced upstream in the identity provider or locally at the application.
- Separate phishing resistance from portability Do not assume that every passkey deployment has the same assurance profile.
What's in the full article
Authsignal's full blog post covers the operational detail this post intentionally leaves for the source:
- How Singpass implements device-bound passkeys inside the app on iOS and why that differs from synced wallets
- The WebAuthn ceremony details, including RP binding, AAGUID policy, and attestation handling
- The comparison between passkeys and digital credentials, including when each model fits national identity
- Platform-level constraints on third-party credential providers and what that means for issuer-managed authentication
👉 Read Authsignal's analysis of Singpass device-bound passkeys and digital credentials →
Singpass device-bound passkeys: what do identity teams need to know?
Explore further
Device-bound passkeys create a custody model, not just an authentication upgrade. The real shift is that the issuer keeps the credential tied to one device and one recovery path instead of distributing copies through a consumer sync fabric. That changes who can revoke, who can recover, and who can assert control over the authenticator lifecycle. For identity governance, this is a custody decision with policy consequences, not a UX choice.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: Who should control passkey policy in a federated login model?
A: The upstream identity provider should control passkey policy when it is the party issuing the assurance used by relying services. Downstream applications can consume that assurance, but they should not pretend they own the ceremony if they do not. Accountability sits where the authenticator is governed.
👉 Read our full editorial: Device-bound passkeys change identity control in Singapore's Singpass