Wednesday, 26 July 2017

SingPass 2FA does 'eff all'

I arrived in Singapore on 4th July. This was published on 7th of July 2017:

Have a new system for public? Test it rigorously first

All my attempts to apply for a SingPass two-factor authentication (2FA) have disappeared into a black hole.

Late last year, I was instructed to obtain a 2FA to make government transactions more secure.

But none of the options on the relevant website applied to me, as I live overseas.

After several e-mails and submitting scans of various documents, my application ground to a halt. I could not proceed with the registration online.

I called the helpline, whereupon a robotic voice took me from one option to another and landed me back at square one.

When I finally spoke to a human officer, I discovered that Assurity, the private company charged with dishing out 2FAs, has no records of my London address to which a token is supposed to be sent, and it insisted that it could not send one to my Singapore address.

I had to go down in person, I was told, and at least this helped resolve the matter.

If I did not happen to be back in Singapore, I would forever be locked out of the Singapore system. I could not even renew my passport.

This is not a complaint about personal inefficiency or individual unpleasantness.

It is a reminder that if the authorities wish to attempt such an onerous exercise, then the system should first be piloted with a group of disparate potential users.

Why allow only users of Singapore-registered mobile phones?

Call in some user-experience experts, test every scenario, and note that Singaporeans living overseas are as varied as they can get.

If the authorities cannot exhaust the ways of dealing with anomalies, then at least have an option within the protocol to deal with such matters satisfactorily.

===

The original:




BLACK HOLES DO EXIST
All my attempts to apply for my SingPass 2FA have disappeared into a black hole.

Late last year I was instructed to obtain a ‘2FA’ to make government transactions more secure.

I get that. My banks require two- or even three-part verification.

But boy! Do they make it difficult for Singaporeans who reside overseas!

None of the options on the relevant website applies to me.

After several emails, and having submitted scans of various documents, my application ground to a halt.

As I am in Singapore, I queued up at a CPF office to resolve this matter.

I could not proceed with the registration online as the (not so) civil servant said I could.

I called the helpline whereupon a robotic voice took me round and around the different options and landed me back at square one.

When I finally spoke to a human being (Daniel) I discovered that Assurity, the private company charged with dishing out 2FAs, have no records of my London address to which a token is supposed to be sent.

First they refused to register my overseas address. Now they insist that they cannot send it to my Singapore address.

Or I must attend one of two addresses in Singapore, which defeats the purpose of going online, surely.

If I did not happen to be back in Singapore, I will forever be locked out of the Singapore system. I can’t even renew my passport.

Am I now a lesser-spotted Singaporean?

This is not a complaint about personal inefficiency or individual unpleasantness. It is a reminder that if you wish to attempt such an onerous exercise, then pilot-test the system with a group of disparate potential users.

Mapping processes on a flowchart is inadequate. Reality does not always fit in with your limited categories. Why only allow Singapore-registered mobile phones?

Call in some user experience experts. Test every scenario. Note that Singaporeans living overseas are as varied as you can get.

If you cannot exhaust the ways of dealing with anomalies, then at least have an option within your protocol to deal with such, satisfactorily.

Incidentally, why ‘2FA’? Have you not heard the term ‘eff (sounds like ‘fook’) all’?

For me, ‘2FA’ = ‘total eff all’. So far.

No comments: