Thursday, October 25, 2018

An alternative to CorpPass

I wish to share my views about CorpPass.

I find CorpPass to be poorly implemented. It is a project under Gov Tech and is under the Smart Nation.

Prior to CorpPass, I was able to sign in with SingPass to carry out transactions with govt agencies. I am registered as the authorized person for my own company and for an association where I am the president.

Life was relatively easy, after I got used to the system. They introduced 2FA authentication with SMS. It was unnecessary, but I accepted it.

I could use SingPass for my personal business and for non-personal business.

Later, they introduced CorpPass. I have to register a separate CorpPass ID for each entity. So, I have two CorpPass ID. But if I am involved with more organizations, I need additional IDs. It is difficult to handle so many IDs. I have to record them somewhere.

The CorpPass ID requires me to have the business ID (also called the UEN), a user ID and a password. It also requires 2FA authentication that is linked to a personal mobile phone.

Someone justified the use of a separate CorpPass so that it can be de-linked from the person, i.e allow other staff to do the work when the main person is not available.

If this is the case, why link the 2FA to a personal mobile phone? I cannot imagine the authorized person leaving the mobile phone to a staff to handle the transactions.

It is also a bad idea to allow a third party to access your own CorpPass ID. After a while, you do not know who handled the transaction on your behalf.

The risk of fraud becomes much bigger with this process.

We should revert to the use of SingPass and get rid of CorpPass completely. There is no use for this additional feature. It is complicated and unnecessary.

We still need a way for a person to appoint another person to handle transactions on his behalf. This can be done by appointing another person as a delegate.

For example, I am the director of my company. I can appoint my staff, using his SingPass to be my delegate for handling transactions for that company.

That person can act on my authority. However, the transaction is identified to that delegate. I can trace what the delegate has done on my behalf.

Using this delegate method, each person still use his own SingPass. He is allowed to appoint his delegate to handle transactions for a corporation.

There is still time for Gov Tech to rectify the shortcomings of their CorpPass system. They can use this delegate approach.

I hope that GovTech have big ears and will act on this feedback. I wish them all the best.

Tan Kin Lian

No comments:

Blog Archive