CaraComp
CaraComp
Forensic-Grade AI Face Recognition for:
Get Started7-day refund guarantee**
biometrics

Singapore Just Killed the Password — And It's Costing Scammers $40 Million a Year

Singapore Just Killed the Password — And It's Costing Scammers $40 Million a Year

Picture this: it's 9pm, you're half-watching TV, and your phone buzzes with a text telling you to log in and verify your account or something gets locked. You tap the link. It looks exactly right — the logo, the colors, the form fields. You type your password. Done. Except you just handed it to a scammer running a fake copy of the real website. You weren't careless. You were just tired. That scenario is costing Singapore's residents S$40 million a year in phishing losses — and it's exactly why the country just made a decision that every government, bank, and employer in the world should be watching very closely.

TL;DR

Singapore has added "passkeys" — a way to log in without a password — to Singpass, its national digital ID system, because the safest password is one that doesn't exist to be stolen in the first place.

Singapore's Singpass is the digital ID login that 4.5 million people use every single month to access over 2,700 government and private-sector services — think tax filings, healthcare records, banking, and more. As of July 2026, those users now have the option to log in using a passkey. No password. No one-time code texted to your phone. Just a quick face scan or fingerprint on your own device, and you're in. Biometric Update broke the story, and the details are worth understanding — because this isn't a tech upgrade. It's a direct response to a crime wave.

Why Passwords Are the Problem — Not You

Here's the thing nobody tells you clearly enough: when you get phished, it usually isn't because you're naive. It's because phishing attacks are designed to catch you when you're distracted, rushing, or just autopiloting through your inbox. The human brain is not built to slow down every single time it sees a login screen and check whether the URL is exactly right, whether the padlock icon is real, whether the email came from one suspicious letter off from the real address.

Passwords are a shared secret — you know it, and the website knows it. The moment you type that password into a fake login page, the secret isn't shared between two trusted parties anymore. It belongs to whoever built that fake page. And those pages? They can be built in minutes and look indistinguishable from the real thing. Singapore's government technology agency, GovTech, made clear that fake login pages and fraudulent QR-code flows are exactly how phishing attacks have been draining money from ordinary people. This article is part of a series — start with Blocked By A Bot Europe Just Gave You The Right To Demand An.

S$40M
lost annually to phishing scams in Singapore — the direct cost that triggered the Singpass passkey rollout
Source: ID Tech Wire

Passkeys solve this at the architecture level — meaning the fix is baked into how the system works, not how carefully you behave. A passkey is a pair of digital keys (think of them like a unique lock-and-key set) generated on your device. One key stays on your phone or computer. The other lives with the real website. When you log in, your device and the real server do a split-second handshake that proves it's really you — and really them. A fake website cannot complete that handshake. There is no password floating through the air for anyone to grab. According to ID Tech Wire, Singpass uses a device-bound model — meaning the passkey lives on your specific phone and doesn't sync to a cloud backup. If your device is reported stolen, GovTech can kill that passkey remotely. That's a meaningful layer of control that most consumer apps don't have.

How We Got Here: A 10-Year Security Upgrade in Fast-Forward

Singpass didn't jump straight to passkeys from nothing. It's been evolving its security step by step since 2015 — SMS one-time codes (those six-digit texts), then QR code logins in 2018, then face verification in 2022. Each upgrade came in response to how scammers adapted to the previous system. That pattern matters: every time a new barrier goes up, attackers look for the next weak spot. Phishers adapted around SMS codes almost immediately. So the goal now is to remove the thing that every previous system had in common — the shared secret, the piece of information that can be tricked or intercepted.

The broader security industry has been pushing in this direction for years. In 2026, this reached a point of no return. The US government's national standards body — NIST (the National Institute of Standards and Technology) — formally recognized passkeys as meeting what it calls "AAL2" compliance. That's security-speak (stay with me) for "strong enough to protect sensitive accounts," the bar required for healthcare, government, and financial services. According to a detailed 2026 industry analysis on Gupta Deepak, Apple, Google, and Microsoft have all committed to passkey support across their platforms — which means the infrastructure to replace passwords everywhere already exists. Singapore isn't experimenting. It's deploying at scale.

"Passkeys are more secure because they use public key cryptography (a type of math-based lock that only works in one direction). When you register a passkey on a website, your device creates a unique pair of cryptographic keys — a public key that the website stores and a private key that never leaves your device." — Deepak Gupta, The Complete Guide to Passwordless Authentication in 2026

The UK's National Cyber Security Centre — their version of a government cybersecurity watchdog — has also published formal guidance backing passkey adoption, noting that phishing resistance is the defining advantage over every password-based system. You can read their position at NCSC. This isn't one country deciding to go its own way on security standards. It's a coordinated, global shift. Previously in this series: Texas Wants Your Id Before You Download A Recipe App.


Why This Matters for You — Right Now

  • Phishing hits everyone — not just the careless — Fake login pages are so convincing that they catch people who know about phishing, simply by striking when they're tired or distracted. Passkeys break this attack at the root.
  • 📊 Passkeys already work on your phone — If you've used your face or fingerprint to log into an app, you've already used the same technology. This isn't sci-fi. It's on your lock screen right now.
  • 🔐 The gap between password-based and passkey systems is about to become a legal line — NIST's formal recognition means organizations in regulated industries (healthcare, finance, government) will face pressure to adopt phishing-resistant login or explain why they didn't.
  • 🔮 Your bank or employer may offer this sooner than you think — According to Security Boulevard, 2026 marks the shift from "identifying the right solution" to actually rolling it out at scale — the industry calls it the "Age of Industrialization." Translation: it's happening now, not someday.
Trusted by Investigators Worldwide
Run Forensic-Grade Comparisons in Seconds
Court-ready facial comparison reports. Results in seconds.
Get Started
7-day refund guarantee**
🎆 July 4th Sale: 50% OFF your first month — use code JULY426 at checkout · ends July 11

The Speed Bonus Nobody Mentions

Security upgrades usually come with a tax — a new friction, an extra step, another thing to remember. Passkeys are almost annoyingly the exception. Microsoft's analysis found that logging in with a password takes an average of 24 seconds — by the time you remember it, type it, wait for the SMS code, type that too. Passkeys average around 8 seconds. Face scan. Done. That's a genuinely better experience, not just a safer one. (Rare, right? A security improvement that also saves you time.)

The detail that matters most, though, is what Computer Weekly highlighted in its coverage: passkeys are bound to both the device and the real domain. They will not fire on a copycat website — not even a perfect-looking one. The passkey just... refuses. There's no warning to dismiss, no fine print to read, no split-second judgment call to get right when you're exhausted. The system handles it. That's the design philosophy shift: stop asking humans to perform security theater and start building systems that don't need them to.

What You Can Actually Do About This Today

You don't need to wait for your government to catch up to Singapore. Here's the one practical thing worth doing right now: check whether your most important accounts — email, banking, work login — already offer passkey support. Both Google and Apple have built passkey management into their operating systems. If your bank or email provider offers it, you can likely switch today without downloading anything. Look for "security keys," "passwordless sign-in," or "passkey" in your account security settings.

If you've ever had that moment of panic — clicking a link and then thinking, "wait, was that real?" — that hesitation is your gut correctly identifying the weakest point in password-based security. The good news is that the fix exists, works, and is already on your phone. The honest caveat: if you switch and lose your device without setting up a recovery option first, getting back into your account is harder. Set up the recovery path before you need it. That's the one step that bites people. Up next: Liveness Detection Selfie Id Verification Explained.

Key Takeaway

Passwords get stolen not because you're gullible, but because they exist to be stolen. Singapore's Singpass rollout is proof that governments are now treating this as an infrastructure problem — and the solution is removing the password entirely, not making you more careful about it.

Singapore is running this system across 4.5 million active monthly users and 41 million annual transactions. That's not a test. That's a proof of concept at national scale — and it's already live. The real question isn't whether passkeys work. It's how long the rest of the world's banks, hospitals, and employers will keep asking you to type a password into a form field while scammers stand by with a net, waiting for the one night you're tired enough to hand it over.

At S$40 million in annual phishing losses — and that's just one city-state — the cost of waiting is no longer abstract. It has a number.

Ready for forensic-grade facial comparison?

Full forensic reports with detailed similarity scoring. Results in seconds.

Run My First Search