Singapore Issues Advisory to Stop Use of NRIC Numbers for Authentication

On 26 June 2025, the Personal Data Protection Commission (“PDPC”) and Cyber Security Agency of Singapore issued a joint advisory, which aims to stop organisations using National Registration Identity Card (“NRIC”) numbers for authentication (“Advisory”). The government is also working to develop sector-specific guidance for regulated sectors such as finance, healthcare and telecommunications on this topic.

The NRIC number is issued by the government to every Singapore citizen and permanent resident, and is used to uniquely identify Singaporeans in a wide range of government and commercial transactions. Currently, many organisations have a practice of using NRIC numbers to authenticate persons (e.g. by using NRIC numbers as passwords). In the government’s view, this practice is unsafe because NRIC numbers cannot be assumed to be secret, and may be known to bad actors and impersonators.

Stopping the Use of NRIC numbers to Authenticate Persons

Under the Advisory, organisations that use full or partial NRIC numbers to authenticate persons should “stop this practice as soon as possible”. Organisations should not:

• set NRIC numbers as default passwords;
• use full/partial NRIC numbers together with other easily obtainable personal data for authentication (e.g. passwords combining an individual's partial NRIC number and date of birth, such as "567A01Jan80"); and/or
• assume that someone is who they claim to be just because they are able to state that person’s NRIC number.

Recommendations on Safe Authentication Practices

Organisations should instead consider other options to authenticate persons, such as:

• something only the person knows (e.g. strong passwords);
• something only the person owns (e.g. security token, smart card);
• something only the person has (e.g. fingerprint, face, iris, palm vein).

In choosing an authentication method(s), organisations should assess the risk, taking into account factors such as: (a) the value and sensitivity of what is being protected, (b) potential threats and vulnerabilities, and (c) user experience and accessibility.

Authentication vs Identification

The Advisory also highlights that authentication and identification are different:

• authentication is proving who a person claims to be, before granting him/her access to services or information intended only for him/her;
• identification is the use of identifiers (e.g. names) to tell people apart.

The Advisory does not seek to stop organisations from using NRIC numbers to identify persons (i.e. telling people apart), but rather for authentication purposes.

Key Takeaways / Next Steps

Organisations that currently rely on NRIC numbers to authenticate persons (e.g. as passwords) should transition away from this practice as soon as possible. Whilst the Advisory is not itself legally binding, a failure to adopt its recommendations may be considered by relevant authorities in the event of a data or security breach.

Organisations in regulated sectors such as finance, healthcare and telecommunications can also expect targeted sector guidance/regulations on this topic to be rolled out in the coming months.

Organisations should also keep in mind existing data protection rules, which prohibit organisations from collecting, using or disclosing NRIC numbers except where: (a) required by law, or (b) necessary to accurately establish or verify the identities of individuals to a high degree of fidelity. These requirements remain unchanged, although the PDPC has stated that it intends to update its guidelines going forward in light of the government’s latest policy on NRIC numbers.

For more information, please contact Jeremy Tan, Loren Leung, Shawn Ting or Chester Lim.

This article is produced by our Singapore office, Bird & Bird ATMD LLP. It does not constitute legal advice and is intended to provide general information only. Information in this article is accurate as of 11 July 2025.