The Singpass system uses facial recognition, fingerprint verification, and a cryptographic credential stored on the user's registered device. Physical NRIC cards remain valid but are no longer the primary identity instrument for banking, healthcare, property transactions, or government services. Residents without smartphones can access their credentials through dedicated kiosks at community centres and post offices.

The security architecture has received generally positive assessments from independent cybersecurity researchers, who note that the decentralised credential model — where the cryptographic key is stored on the user's device, not on a central government server — reduces the attack surface compared to centralised identity databases. A successful breach of the Singpass infrastructure would not yield a usable database of credentials; it would require attacking each device individually.

Civil liberties concerns focus on a different dimension: the correlation risk. With a single credential used across banking, healthcare, transport, retail, and government, the system creates the technical infrastructure for comprehensive behavioural surveillance even if current policy prohibits it. That policy can change.

"The architecture is privacy-preserving today," said digital rights researcher Kirra Anderson of the Future of Privacy Forum. "The question is what it is in ten years, under a government that may have different priorities."