Singapore’s Ministry of Digital Development and Information (MDDI), along with the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA), has issued a joint advisory calling for private sector organisations to immediately halt the use of NRIC numbers for authentication purposes.
According to the advisory released on 26 June 2025, businesses across various industries continue to rely on NRIC numbers as a form of identity verification or default passwords—a practice the government now deems unsafe. The advisory highlights that NRIC numbers are unique but not confidential, making them inappropriate for authenticating individuals accessing sensitive services or personal data.
MDDI noted that although NRIC numbers are useful as identifiers (e.g., for recognising who a person is), they must not be used to prove a person’s identity—especially in systems where identity verification safeguards sensitive data such as medical records, bank accounts, or confidential business information.
Stop Using NRIC Numbers as Passwords, Say Authorities
The advisory also warns against common practices such as using partial NRIC numbers in password structures or pairing NRIC digits with other easily accessible personal data like birthdates. These methods, it stressed, expose individuals to identity theft, account takeovers, and financial fraud.
Instead, businesses are encouraged to adopt multi-factor authentication methods that are far more secure. Recommended options include strong passwords (something the person knows), security tokens or smart cards (something the person owns), and biometric identification like fingerprint or facial recognition (something the person is).
The agencies further urged companies to perform a risk-based assessment of their authentication protocols—considering the value of the data being protected, the level of potential threats, and ease of user access.
No Point Masking NRIC Numbers, Says MDDI
In an earlier statement made in December 2024 regarding the publication of NRICs on the ACRA Bizfile portal, the government clarified its stance that masking NRIC numbers offers little security value. NRICs are designed to be public identifiers—like names—and attempts to hide them create a false sense of protection.
MDDI explained that with simple algorithms and knowledge of a person’s birth year, it is possible to guess a masked NRIC number. Therefore, the real danger lies in misuse, particularly when organisations treat NRIC numbers as secret keys to authorise actions or retrieve information.
The Singapore Government reaffirmed its commitment to protecting citizens’ personal data and announced ongoing collaboration with key sectors like finance, healthcare, and telecommunications to develop customised authentication standards.
Transition Towards Safer Cybersecurity Practices
Singapore’s authorities stressed that while this change may take time for businesses and individuals to adapt to, it is a necessary evolution in the face of growing cybersecurity risks and data breaches globally.
The public is advised to remain vigilant and avoid services that request NRIC numbers for logging in or resetting passwords. Businesses are encouraged to seek guidance via the PDPC or CSA portals to implement more robust identity management systems.