Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
Passkeys
Synced passkeys
Device-bound passkeys

Why Singpass built its own passkey manager instead of using iCloud Keychain

Ashutosh Bhadauriya
⬤
July 9, 2026
Share
Why Singpass built its own passkey manager instead of using iCloud Keychain

On July 2026, the Government Technology Agency of Singapore (GovTech) started a beta rollout of passkeys for Singpass, the country's national digital identity app. iPhone users go first, with Android and desktop browser support coming in later phases. Singaporeans can now log in to Singpass with Face ID or a fingerprint instead of a password or an SMS one-time password.

The Singpass passkey is device-bound and lives inside the Singpass app itself. It does not sync through iCloud Keychain or Google Password Manager. That decision changes who controls the credential, how recovery works, and how Singpass sits next to the digital credential work happening elsewhere in identity.

What shipped

Singpass is Singapore's national digital identity, a goverment based digital identity scheme, allowing goverment apps and private businesses to allow residents and citizens to “Authenticate with their government identity”. It began in 2003 as a single login for government e-services and has grown into the layer behind verified data sharing through Myinfo, in-person identity checks through Verify, and document signing. GovTech has added a new authentication method every few years: SMS one-time passwords, QR code login when the Singpass app launched in 2018, and Face Verification from 2020, which matches a live face scan against the government's biometric database and is what Singpass leans on for higher-assurance access. Passkeys are the 2026 addition. They sit alongside the existing authentication methods rather than replacing them, so QR login, Face Verification and SMS OTP all still work.

Singpass has more than 4.5 million monthly active app users running over 41 million transactions a month across roughly 2,700 government and private sector services. When Singpass adds a authentication method, it lands in front of most of the adult population and a large share of the country's regulated services.

The setup is pretty quick. iPhone users update the app, tap a banner on the home screen, and follow a prompt to enable autofill. After that, the passkey option appears on the Singpass login page, and the user unlocks it with a fingerprint, face recognition, or the six-digit Singpass app passcode. Under the hood it is standard WebAuthn: a key pair is generated, the private key stays on the device, and the public key is registered with Singpass. At login, Singpass sends a challenge, the device signs it, and Singpass checks the signature against the stored public key.

Two properties make it phishing-resistant. The passkey is bound to the real Singpass login domain, so it will not sign a challenge from a lookalike site. And when a passkey is used to log in to a service on a second device, a short-range Bluetooth proximity check runs first, so the credential only authenticates a device that is physically nearby. That closes off the remote-relay attacks that have plagued QR code login, where a scammer tricks a victim into scanning a code that authorises the attacker's session.

Phishing was the second most common scam type in Singapore in 2025, with reported losses of around S$39.9 million, and several of those scams used fake Singpass pages or QR flows. GovTech has said, for now, there are no plans to extend passkey support to FIDO2 hardware security keys, though it has left the door open to new methods later.

The app is the credential manager

Most consumer passkeys are synced. When you create a passkey on an iPhone, iCloud Keychain encrypts it and replicates it across your Apple devices. Google Password Manager does the same on Android. Sync is convenient. Lose a phone, sign in to your cloud account on a new one, and the passkeys come back. It also widens the attack surface: recovering the credential now depends on the security of a cloud account, which is why NIST still treats a synced passkey as single-factor.

GovTech went the other way. The Singpass app acts as its own credential provider. On iOS this works through the autofill credential provider mechanism, the same hook that lets apps like 1Password or Microsoft Authenticator supply passkeys system-wide. The difference is that Singpass generates device-bound keys that never leave the phone and never touch a sync fabric.

Device-binding buys the platform three things that a synced passkey cannot give it. The private key cannot be copied off the device or leaked through a breached cloud account. There is a clean revocation story: if a device is lost or stolen, the Singpass app and its passkey on that device are automatically deactivated the moment the user sets up Singpass on a replacement phone. And because the key is tied to one trusted device, GovTech can reason about "one person, one active credential" in a way that a fleet of synced copies makes fuzzy.

The trade-off is the usual one for device-bound credentials, covered in more detail in our comparison of synced and device-bound passkeys. There is no automatic cross-device recovery. If you switch phones, you re-enrol. For a national ID with staffed help desks and in-person service counters, that support cost is affordable in exchange for the control. For a typical consumer app, it usually is not, which is why most of them sync.

There is a second trade-off that matters more for the rest of the industry. The build-your-own-manager model fits a national ID, but it does not generalise. If every bank and government service shipped its own device-bound credential manager, users would end up with a drawer full of single-purpose wallet apps and no clean way to reason about which one holds what. Mobile platforms are built to prevent that. iOS gates third-party credential providers behind a dedicated entitlement and makes the user turn each one on by hand, and app-based passkey providers need iOS 17 or later. The friction is deliberate: Apple and Google would rather people lean on a few credential managers than watch the passkey ecosystem splinter into one app per service. Singpass gets a pass because it is the national identity layer, not one service among thousands.

What this means for relying parties

A Singpass passkey authenticates the user to Singpass, and only to Singpass. Other services, including banks, do not receive the passkey directly. They federate through Singpass over OpenID Connect, using the FAPI2 profile with pushed authorisation requests. So when a bank says its customers log in "with Singpass", the bank is a downstream relying party of an identity provider, not the WebAuthn relying party for the passkey itself. Singpass is both the issuer and the verifier of these credentials. If you want the underlying mechanics, we wrote a guide to relying parties for passkeys that covers the RP ID binding this depends on.

Can a Singapore bank insist that a customer only ever authenticates through the Singpass app, and not through some other passkey provider? At the WebAuthn layer, the tool for this is the AAGUID, the identifier that says which authenticator model created a credential, checked at registration through attestation. A relying party can hold an allowlist of AAGUIDs and reject anything else.

The catch, in the consumer world, is that Apple and Google platform passkeys generally do not provide attestation and report a zero AAGUID, so an RP cannot reliably tell an iCloud Keychain passkey apart from anything else or pin acceptance to it. A dedicated app-based provider is different. An app like Singpass can supply attestation and a stable, identifiable AAGUID, which is exactly what makes AAGUID-restriction feasible. In practice the enforcement point sits with Singpass, which already restricts its passkeys to its own app and its own domain. A bank that federates through Singpass inherits that guarantee without having to run the WebAuthn ceremony itself. The effect is close to what our founder Justin Soong flagged when the news broke: at this level of control, a Singapore service can require a device-bound, government-managed credential as the front door, and never build any of it.

Where this bumps into digital credentials

Once you have a government-issued, device-bound, revocable credential that only the government can mint and revoke, you start to think why it is a passkey at all and not a verifiable digital credential.

The two solve different problems. A passkey proves you control an account. It answers "are you the holder of this Singpass login." A digital credential, whether an ISO mdoc mobile driving licence or a W3C verifiable credential, is a signed attestation of attributes issued by an authority. It answers "what is true about you", and it can be presented to any verifier, with selective disclosure, without a live round-trip to the issuer. We covered that split in digital credentials explained.

Singpass is a national identity system, so it lives on both sides of that line. Today it runs a device-bound passkey plus federation, every login is a live handshake with Singpass, which returns a token to the relying service. A wallet moǰdel would flip that. Singpass could issue a signed credential for a citizen's identity attributes into a wallet, and a bank could verify those attributes directly and cryptographically, seeing only what it needs, without Singpass sitting in the middle of every transaction.

This is where the Digital Credentials API comes in, and why some read it as the pattern that eventually supersedes building your own manager. The DC API is a browser standard. A site calls navigator.credentials.get() with a request, the browser shows which wallets on the device can satisfy it, the user picks one and approves, and the browser hands back a response the verifier checks. Chrome reached general availability with it in version 141 in October 2025, and Apple shipped support in Safari on iOS 26. The credentials stay device-bound, the presentation flow is native and hard to phish because the browser passes the real requesting origin to the wallet, and revocation lives with the issuer. That is most of what GovTech built, delivered as platform plumbing that every service can share instead of each one shipping an app. The spec is still a year or two from becoming a full W3C Recommendation, so this is a direction rather than a finished replacement, but it is the direction the platforms are pushing.

For now, passkeys and digital credentials are complementary. The FIDO Alliance has been explicit that the sensible pattern is passkeys for authentication and verifiable credentials for attribute sharing, and most serious digital ID programmes are heading toward using both. What Singpass has shipped is a strong authentication layer with a design that keeps the credential firmly under the issuer's control. Whether GovTech's next move is a wallet and issued credentials is the question worth watching in the region, because Singapore has a habit of setting the bar and its neighbours tend to follow.

If you build for Singaporean users

If you build products that touch Singaporean users, the near-term change is concrete: your Singpass login flows now sit behind a phishing-resistant, device-bound credential, and the QR and OTP paths that scammers abused are no longer the only option. You do not have to do anything to inherit that, because the enforcement lives inside Singpass. The longer-term signal is that a major government identity programme has committed to device-bound credentials it can revoke, which is the same posture that regulated relying parties keep asking passkey vendors for. Authsignal sits in front of your existing identity provider and gives you that today: device-bound enforcement and AAGUID policies, layered over your current stack without a migration. It is also built for where this goes next, verifying digital credentials over the DC API as wallets reach your users, so you can run the passkey login and the credential check from one place instead of picking a side.

Working through passkeys, device-bound enforcement, or digital credentials on your own stack? Talk to our team.

‍

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
Passkeys
Synced passkeys
Device-bound passkeys

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies