This content was originally posted on ccapac.asia. The Coalition for Cybersecurity in Asia-Pacific (CCAPAC) is a group of industry stakeholders dedicated to positively shaping the cybersecurity environment in Asia through policy analysis, engagement, and capacity building. Access Partnership is the secretariat for CCAPAC. Read the original article here.
Southeast Asia’s public sector and citizen services have undergone rapid digital transformation in the last decade, fuelled by the expansion and adoption of cloud computing services in the region. Governments and businesses are increasingly migrating services online, promising citizens greater convenience and efficiency. From digital banking and finance to e-government portals and healthcare access, online citizenship and access to digitally enabled public infrastructure is becoming central to daily life.
However, this digital leap hinges on a critical, often unseen and unsung, foundation of digital public infrastructure (DPI), which is secure and reliable online authentication. Robust digital identification and authentication mechanisms are paramount for building trust and ensuring the integrity of Asia Pacific’s growing and evolving digital ecosystem.
What are digital authentication and trust mechanisms?
At its heart, online authentication verifies that users are who they claim to be, providing trust in the transaction. These mechanisms are vital for protecting personal data and preventing fraud. Authentication and trust mechanisms generally fall into three categories – through providing (1) something you know – also known as Knowledge-Based Authentication (KBA), (2) something you have – also known as Possession-Based Authentication, and/or (3) something you are – also known as Inherence-Based Authentication (Biometrics) – with the strongest approaches now combining these elements.
Trust Mechanism 1 – Knowledge-Based Authentication (KBA)
The most common form of authentication, KBA, relies on information only the user should know. This has traditionally included information such as:
- Passwords and PIN codes
- Security questions, like “your mother’s maiden name”, “where you went to school”, “your pet’s name” also fall under KBA
KBA is the simplest form of authentication to implement; however, there are significant weaknesses in this trust mechanism method. For example, users sometimes choose weak passwords or reuse them, making them vulnerable to phishing, data breaches, and credential-stuffing attacks.
The password “123456” has consistently ranked as the #1 password used by people for many years; the time it takes to crack the password today with a bot is <1 second. For critical citizen services, KBA alone is no longer considered sufficient in a robust DPI.
Trust Mechanism 2 – Possession-Based Authentication
The second form of verification provides identity authentication using something the user physically possesses. Examples include:
- One-Time Passwords (OTPs) generated by hardware tokens (increasingly outmoded) or, more commonly, sent via SMS to a mobile phone, or created by authenticator apps (like Google Authenticator or Authy) on a smartphone, or passkeys (tied with a specific device)
- Smart cards with embedded chips, requiring a reader
- In some instances, location-based authentications where GPS coordinates, network parameters, and network metadata are used to prove the physical access location
Possession-based authentication mechanisms significantly enhance security. In the scenario that a password is stolen, the attacker still needs the physical token or device in order to access the service/information.
Additional security could also be included, such as TOTP or Time-based OTPs, where an OTP has to be entered by a certain period of time before the OTP expires, e.g., within 60 seconds.
However, as technology advances, so do cybercriminal methods, and today SMS OTPs are vulnerable to SIM swapping, making app-based token authenticators a generally more secure choice for possession-based authentication methods. In July 2024, major Singapore banks started to phase out OTPs for token authentication, in a bid to bypass the risk of SMS OTP hijacks.
Trust Mechanism 3 – Inherence-Based Authentication
Also knows as biometrics, this method authenticate users based on their unique biological characteristics – i.e., it requires you to demonstrate “something you are.” This includes showing the following:
- Fingerprint scanning – this is widely used in smartphones and for official identification
- Facial recognition – it is increasingly common for device unlocking and identity verification, often enhanced by “liveness detection” to prevent spoofing with photos or videos
- Iris or retina scans – these offer very high accuracy of verification but are typically used in high-security scenarios
- Voiceprint/ voice recognition – this method is used in some service applications
Biometrics offer convenience and strong security, as these traits are difficult to replicate. However, the secure storage of biometric data is crucial, as a compromised biometric template is a permanent loss. Privacy concerns and the potential for algorithmic bias also need careful management.
Tools for Humanity (TfH) is a tech company founded by OpenAI’s CEO Sam Altman, which is collecting biometric data in a WorldID project, to streamline digital verification. However in Indonesia, the government has halted its data collection in the country due to concerns over data privacy and protection of its citizen data. Kenya’s High Court has also ruled against WorldID’s biometric data collection in its country.
Trust Mechanism 4: The hybrid approach – Multi-Factor Authentication (MFA)
MFA is currently the recommended best practice globally, combining two or more independent authentication factors. For example, a password (knowledge) plus an OTP from an authenticator app (possession), and/or a fingerprint scan (inherence) to authorise a transaction initiated via a mobile app (possession).
Having an MFA trust mechanism creates layered security, making it significantly harder for attackers to gain unauthorised access, even if one factor is compromised.
Barriers to digital authentication and trust mechanisms in Southeast Asia
Despite strong strides to develop digital authentication and trust mechanisms, there are barriers in Southeast Asia when implementing a safe, secure, and inclusive online authentication ecosystem.
Digital divide
In many countries – even developed countries – there is a digital divide, where disparities in internet access, as well as digital literacy, hinder adoption of authentication mechanisms. These divisions could run along economic lines (too expensive to own and maintain a smartphone with subscription) or other socio-demographic lines (the elderly are often not enrolled in digital identity systems, and are therefore excluded from the digital economy).
Data protection and privacy
Other concerns include privacy and data protection worries, where citizens may not be comfortable sharing and storing sensitive personal and biometric data.
A Lack of security awareness
The success of any identity and authentication solution hinges on the public’s readiness to use it. This extends beyond understanding its value and must include understanding its security features. With more than 50 known ways to breach Multi-Factor Authentication, it is essential not only to choose the right technology but also to educate the public on its proper use.
Cost of infrastructure investment, development and interoperability
There will be an initial set-up cost for building and maintaining a secure national digital ID and authentication infrastructure. In many instances, this cost would also entail the enrolment of all citizens into a national ID plan. This large initial capital outlay may be daunting to some countries. In addition, there will be a need to fund the continued maintenance and improvement of the public service system, such as building in interoperable functions so that the system can work seamlessly across different government agencies and, potentially, across borders.
Next steps for digital authentication and trust mechanisms – future trends and the role of industry
The future of authentication will likely see greater adoption of newer methods and combinations of authentication mechanisms, such as:
- Zero trust/password-less methods such as the Fast IDentity Online (FIDO) standard
- Hybrid MFA leveraging biometric authentication, and potentially mobile-first digital IDs
- Adaptive authentication, which adjusts security requirements based on risk
Building a trusted digital future for Southeast Asia requires a concerted effort from governments, citizens, and the private sector. Governments must champion secure and inclusive digital ID frameworks, the private sector must innovate responsibly, and citizens must be empowered with the knowledge to protect themselves online. Secure online authentication is not merely a technical feature; it is the bedrock of digital trust.
CCAPAC contributes to this discussion through:
- Providing policy input and advocating for strong data privacy and security standards
- Facilitating knowledge sharing and capacity building among member organisations and government agencies
- Promoting the adoption of international best practices and interoperable solutions
- Raising public awareness about secure online practices and the benefits of robust authentication
By working together, we can ensure that the region’s digital transformation benefits all, fostering a secure, inclusive, and prosperous digital society.
Appendix: Southeast Asia’s Digital Identity, Citizen Services, and Authentication Landscape
Countries across Southeast Asia are at various stages of implementing national digital ID systems and leveraging them for online authentication, using the methods mentioned. Here we breakdown examples from across the region.
Brunei Darussalam started to issue smart identity cards at the end of 2024. The country provides access to online government services via the e-Darussalam portal, which employs username/password and OTPs for authentication.
Figure 1: Brunei – Smart Identify Card
Image source: https://borneobulletin.com.bn/no-more-photocopying-your-ic-senior-official/
Cambodia is introducing new electronic ID cards with chips and QR codes in 2025, which will replace and update the existing card. It will come in both plastic and digital format, the latter of which is planned for interaction with other digital services that the government is developing.
Figure 2: Cambodia – Chip and QR-code Identity Card
Image source: https://www.khmertimeskh.com/501664777/govt-introduces-new-format-id-card/
Indonesia’s e-KTP (Electronic Kartu Tanda Penduduk) is a biometric national ID card crucial for accessing many public services. It will form the digital identity backbone for citizens and residents in the country. The government is planning its integration into seamless online authentication for a wide range of public sector digital services.
Figure 3: Indonesia’s Electronic Kartu Tanda Penduduk
Image source: https://disdukcapil.banyuasinkab.go.id/persyaratan/kartu-tanda-penduduk-elektronik-ktp-el/
Laos official announced and launched their national digital ID card rollout in July 2024 at the National Convention Centre in Vientiane. The project is being implemented together with Vietnam, and includes building a national data centre, consolidation of citizen population data, and implementing data security on the information in the data centre.
Figure 4: Laos – National Identity Card
Image source: https://kpl.gov.la/En/detail.aspx?id=91202
Malaysia’s national ID card is called MyKad and is a long-standing multipurpose smart ID card with biometric data and a PKI chip. It is used for some e-government services, often requiring a card reader and PIN (i.e. multifactor authentication), with ongoing efforts to expand its digital authentication utility.
Figure 5: Malaysia’s MyKad
Image source: https://www.malaysia.gov.my/portal/subcategory/19
Myanmar continues its e-ID project involving biometric data collection. These foundational ID systems are crucial precursors to more sophisticated online authentication mechanisms for citizen services.
The Philippines‘ Philippine Identification System (PhilSys) and its associated PhilID card form the foundation of the country’s ongoing development of digital public infrastructure (DPI). While the immediate priority is establishing a universal ID, PhilSys is designed to enable more secure and streamlined online authentication for both public and private services in the future.
Figure 6: The Philippine Identification System and the PhilID card
Image source: https://philsys.gov.ph/national-id-briefer/
Singapore’s SingPass is the country’s national digital identity platform, which provides access to an array of government and private sector services. SingPass uses MFA extensively, typically via its mobile app, combining something the user has (the registered phone) with something they know (a 6-digit passcode) or something they are (fingerprint or facial scan).
Figure 7: Singapore’s SingPass mobile phone app
Image source: https://app.singpass.gov.sg/
Thailand is actively rolling out its digital ID framework. Citizens can use digital versions of their ID cards via mobile applications, with authentication often involving mobile OTPs and a move towards biometric verification for more sensitive transactions.
Figure 8: Thailand Digital ID Authentication Mechanism (in Thai)
Image source: https://www.facebook.com/THDigitalID/photos/pb.100055149085739.-2207520000/275647299625447/?type=3
Vietnam is rapidly developing its online public services and digital government capabilities with a modernised digital identity and VNeID mobile application. VNeID aims to integrate various citizen documents and facilitate secure MFA for public services, incorporating OTPs and biometric capabilities.
Figure 9: Vietnam’s VNeID and government services mobile app
