Thoughts: OneKey – Singapore’s latest 2FA system

Last December, OneKey was launched by Assurity Trusted Solutions (subsidary of IDA) to help make online transactions more secure, by adding an additional layer of verification.
And hopefully replacing the current systems that are used (News article found –>; HERE).

A casual sharing session at The PigeonHole early this month, with Assurity Trusted Solutions’ COO – Mr Chai, cleared some doubts and queries we end users have.

1) Size, look and functionality of OneKey:

Around 2/3 size of EZlink card and 2 EZlink card worth in thickness.


2) What does the codes or buttons on it mean and its functions?


OTP –> One Time Password
CR –> Challenge Response
SIGN –> Transaction Signing

Most banks are using OTP for internet banking verification, I’m sure that’s easy enough to understand.
If you are required to do a bank transfer, users will press on SIGN (Transaction Signing) and input account number and amount into the OneKey and it’ll generate a secure code for your transfer. That would minimize possibility of tampering with the amount and account, which some hackers could do.

The most confusing one would be CR (Challenge Response), which probably gives you a string of numbers as verification for a non-financial login?
Hmm, I could be wrong but I’ll read up on it and update this post.


3) How long will the OneKey last, in terms of battery life?

Battery would last for about 5 years.
You can’t replace the battery without replacing the whole OneKey.
Replacement is at SGD11.


4) Do we need to pay for it and who gets it first?

First device is free for all Singaporeans and PR, subsequent device (replacements) will at SGD11.
As for foreigners, it’ll be SGD11 for first device.

Somewhat like the NRIC, registered to you.


For more answers, tutorials or FAQ, check out their site –>; OneKey


A handful of companies (Phillip Securities, Kim Eng Securities and ST Electronics) signed on and will be utilizing OneKey.

Will more be joining them?
Eg. the banks and govt sectors?

That we’ll have to wait and see.

After all, it’s difficult to do a major change without incurring some / huge monetary cost and creating unhappy users.
Not forgetting the time and effort to retrain and create documentation on how it works and what it does.

Always a long and tedious process.



Frankly, I prefer using OTP through sms but lately, there had been delays for OTP send outs, making it rather unreliable when I urgently need it.
And it seems that banks will need to stop using it by end of this year and start using a token (be it their own or a unified one, like OneKey).

As for the token from DBS, I don’t like bringing it everywhere but I understand the need for additional layer of security, for my transactions.

Well, it will be good if they managed to unify and make it OneKey for all.
I don’t want a bag filled with tokens, for each site… or paying SGD20 for each lost token… -_-”

And there will always be a need to have better, if not more, security for online transactions, be it financial or personal data.
Coming from me, someone who had been hacked previously and received odd / unauthorized credit card transactions from overseas sites – better safe than sorry.

Hmm… 😛