John Lewis dumps RSA tokens for phones

By Ron Condon, UK bureau chief 06 Mar 2008 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

The company has around 2,500 employees who regularly need to log on to corporate systems from a remote location, and authentication up to now has been done using SecurID tokens from RSA.

The most important benefit of SecurAccess was removing the need to physically distribute tokens for setup, renewal and repairs Matthew Clements Principal programmer, John Lewis

It has now switched to SecureAccess from SecurEnvoy, which communicates directly with the user's mobile phone and sends out a one-time code as an SMS message. John Lewis says the system is easier to administer and less expensive to run, and will now be extended to 12,500 other staff who may only need occasional use of the system.

"The most important benefit of SecurAccess was removing the need to physically distribute tokens for setup, renewal and repairs," said Matthew Clements, a principal programmer at John Lewis. "This obviously resulted in much lower administration costs. Our operations are now streamlined as we have a simple software solution for two factor authentication that back-ends to existing LDAP directories, rather than a disparate proprietary database."

Users logging on through a VPN enter their user name, Windows password, and the six-digit code stored on their mobile phone. As soon as they use the code, another is sent to their phone for their next session. That avoids the problem of them having to wait for an SMS message each time they log on, and also allows them to log on even if they have no signal.

Adam Bruce, UK channel manager for SecurEnvoy, said people tended to look after their phone more than they did with other devices, such as tokens. But if users do lose their phone, he said, SecureAccess provides a self-service helpdesk facility that allows the user to log on to a website, answer a personal question (such as mother's maiden name) and receive a one-time code to enable them to work.

John Lewis awarded the contract last December following an extended pilot programme involving 500 users. Clements said the new system was well received by most users. "It has been working effectively and we have had no problems with the roll out. One good thing is that if people are wary of having their personal mobile number stored, it is actually all encrypted, so the only people who can see their personal details are the administrators," he said.

He added that ease of use has been a prime consideration: "Users also have one less credential to remember as we have chosen to implement Windows passwords as the second factor."

While it would have been uneconomic to give tokens to all staff, SecurEnvoy's ICE (in case of emergency) pricing programme for occasional users has made it possible to extend remote access out to all 15,000 staff. "This now means that we have the option to give it to a wider user base within the business for secure access to our network, even in the event of an emergency," said Clements.

Tags: Secure User Authentication and Authorization,  User Password Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats User Password Security Microsoft, security firms warn of password meltdown Single sign-on system removes password chaos at East Kent NHS Trust Brute force attacks target Yahoo email accounts The consequences of poor Microsoft SharePoint security permissions policies Unpatched vulnerability discovered in Microsoft SQL Server Supplier's problems with passwords solved by single sign-on technology Social networks and spear phishing attacks How effective are password hack tools? How to protect employees' personal information and passwords Gartner: How to succeed at identity and access management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary