Singapore’s move to bring passkeys to SingPass reflects a broader shift in how the country approaches digital identity: replacing credentials that can be stolen with ones that remain tied to a trusted device. The same thinking is reshaping enterprise authentication, as organizations increasingly move away from passwords that attackers can phish, intercept, or reuse.
Microsoft’s recent analysis of Windows Hello for Business shows why that approach is gaining momentum. By storing cryptographic credentials on a user’s device rather than sending passwords over the internet, device-bound authentication makes stolen credentials far less useful to attackers. But the research also highlights a challenge Singapore organizations shouldn’t overlook: passwordless security is only as strong as the hardware, policies and deployment behind it.
From government digital services to regulated industries such as finance and healthcare, the shift offers useful lessons for organizations trying to reduce identity-based attacks without creating more friction for users.
Singapore’s passwordless push reflects a wider enterprise shift
GovTech’s rollout of passkeys for Singpass is one of Singapore’s biggest public demonstrations yet of passwordless authentication. Rather than relying on passwords or one-time codes that can be intercepted, passkeys use cryptographic key pairs stored securely on a trusted device, making phishing attacks significantly harder to pull off.
The same architectural principle sits behind Windows Hello for Business. Instead of transmitting a reusable password, the PIN unlocks a private cryptographic key stored locally on the device, meaning attackers cannot simply steal and replay a user’s login credentials through a fake sign-in page.
That distinction matters as Singapore continues strengthening its digital ecosystem. While phishing incidents have declined, authorities have repeatedly warned that AI is helping cybercriminals produce more convincing phishing campaigns, fake websites and voice impersonation attacks. As those attacks become more sophisticated, preventing credential theft altogether is proving to be better than quick detection.
Enterprise deployments may not be as secure as they appear
One of the more valuable lessons from Microsoft’s findings is the gap between perceived security and actual implementation. Many organizations assume that enabling Windows Hello automatically delivers phishing-resistant authentication across every endpoint. In reality, the protection depends on how the feature is deployed.
For the strongest protection, Windows Hello for Business stores cryptographic keys inside a Trusted Platform Module (TPM), isolating them from the operating system and making them substantially harder to extract. Without TPM-backed protection, the authentication experience may look identical to users while offering a lower level of hardware-backed security.
Singapore is in a relatively strong position here. As of writing, Windows 11 accounts for 78.48% of Windows desktop installations in Singapore, giving many organizations access to hardware that already meets Microsoft’s TPM 2.0 requirements.
But adoption statistics do not necessarily reflect deployment quality. Older devices, disabled TPMs, inconsistent provisioning, and legacy authentication policies can lead organizations to believe they have fully deployed phishing-resistant authentication when important gaps remain.
For security leaders, the question is becoming less about whether Windows Hello has been enabled and more about whether it has been implemented as intended.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Passwordless doesn’t eliminate the need for layered security
Moving beyond passwords does not eliminate every authentication risk.
PINs are intentionally short because they never leave the local device. That makes them fundamentally different from passwords, which travel across services and therefore need much higher entropy. Even so, users frequently choose predictable PINs based on birthdays, anniversaries, or repeated digits, which can reduce their effectiveness if an attacker gains physical access to a device.
That reinforces a broader lesson for organizations in Singapore. Authentication should never depend on a single control. Hardware-backed credentials, strong identity policies, phishing-resistant MFA, Conditional Access, risk-based sign-in policies, and user awareness training all contribute to the overall security posture. Strong authentication comes from combining these controls rather than assuming that a single technology solves every problem.
As identity attacks increasingly target people rather than infrastructure, security strategy is becoming less about replacing passwords with PINs and more about building multiple layers that continue to protect users when one control inevitably fails.
What Singapore organizations should review
Singapore’s continued investment in passwordless authentication shows where digital identity is heading, but enterprise deployments require the same level of attention as public-sector rollouts. Organizations should review whether Windows Hello for Business is deployed with TPM-backed protection, verify that phishing-resistant authentication is enforced for privileged accounts, and assess whether Conditional Access policies align with the sensitivity of the systems users access.
The broader takeaway extends beyond Microsoft. Device-bound authentication is becoming a foundational control across modern identity platforms, but technology alone does not determine security outcomes. Hardware, configuration, governance, and user behavior remain equally important in determining whether passwordless authentication delivers the protection organizations expect.