Singapore PDPC and CSA: Stopping the use of NRIC-based authentication

On 2 July 2025, Singapore’s Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) issued a joint advisory advising businesses to stop the use of the full or partial national registration identity card (NRIC) number as a password or factor for authentication, for instance, passwords combining an individual’s partial NRIC number and date of birth, such as “567A01Jan80”.

Since an individual's NRIC number can appear on so many documents and can be readily obtained, it is not a secure credential. Using the full or partial NRIC number as a password or factor for authentication invites impersonation, phishing, and data breaches, where fraudsters exploit known NRIC numbers to breach accounts. Businesses should also be aware that a person may not be who he claims to be just because he is able to state that person’s NRIC number.

Common scenarios of using NRIC numbers

Many businesses still auto-generate passwords by combining the last three digits and letter of the NRIC number plus the date of birth (e.g., 789C15Feb90). Common examples include:

1. Access to statements of accounts and salary letters

A user’s initial login to view bank statements or download monthly salary letters.

2. Access to websites

User-portal accounts for booking appointments, viewing results, or other types of services.

3. Tracking services

Tracking an application, delivery of products, and/or services.

4 practical steps to comply

Businesses should view this advisory as an opportunity to modernize their authentication infrastructure to deliver more secure services:

Why this advisory makes sense

NRIC numbers were never designed as confidential information. They appear on employment records, driving licenses, medical forms, and numerous public documents. When businesses treat them as authentication factors, they inadvertently encourage the reuse of these credentials that attackers can harvest and exploit.

By moving to risk-based authentication and MFA, businesses not only protect customer data but also reduce the likelihood of regulatory fines under PDPA or equivalent data‐protection regimes.