Tokenless two-factor authentication helps council with CoCo compliance

By Ron Condon, U.K. Bureau Chief 12 Nov 2009 | SearchSecurity.co.UK

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More than 1,000 workers at Dundee City Council have been enrolled into the tokenless two-factor authentication system, which provides them with a second factor of authentication, after username and password, when they log on to the council's VPN.

The system is based on the SecurAccess product from SecurEnvoy Ltd., which sends out a unique access code to each user for him or her to then key in when accessing council systems.

As well as making the connections more secure, the system helps Dundee comply with the requirements laid out in the Code of Connection (CoCo) for local authorities connecting to the Government's Secure Extranet (GSX).

Visa probes tokens, encryption for PCI Visa issued payment industry best practices that outline the use of encryption and tokenization to protect credit card data.

Graeme Quinn, IT team leader at Dundee City Council, said the council wanted to increase security, having relied formerly just on usernames and passwords. He considered a group of token-based products, including those from Vasco Data Security International Inc., but finally opted for SecurEnvoy. "One of the big selling points of SecurEnvoy was that it integrated easily with Active Directory, it was easy to deploy, and it sent out the tokens to a mobile phone. So we didn't need any physical tokens to distribute. That was a big plus, certainly," he said.

"SecurEnvoy also supported multiple Active Directories -- we operate across two Active Directories here at the council."

Dundee has adopted VMware for server virtualisation, so SecurAccess runs as a virtual server, with links to the two Active Directories. Users can enrol into the service, which associates them with their AD entry and email address, and asks them to key in their mobile phones' details to enable the codes to be sent to them.

Quinn says that most employees were happy to use their own mobile phones. Where this was not the case, users could choose to have the code delivered either to their personal email address, or to a landline (usually their home number) where the code could be converted to speech.

"There is a good degree of flexibility," Quinn said. "For instance, if you are going to be in a place that has a poor mobile signal, you can have an authentication code sent that lasts a couple of days, or you can have up to three codes sent."

Deployment of SecurAccess was easy, according to the IT team leader. "We just had someone on the end of a phone to talk us through a few things, but apart from that it was not a problem," he said. "We then had to configure the VPN [an SSL VPN from AEP Networks Inc.] to point it at the SecurEnvoy server, and that was it."

Staff training and enrolment was equally trouble-free. "There was some preparation to make people aware of the changes that were happening. And we made sure there were some key people in departments who were up to speed to answer questions," he said. "But the only thing that's changed is that they get an extra box on the screen when they sign in. Inevitably, there was the odd problem with people mis-keying their mobile numbers, for instance, but on the whole it was pretty easy."

Tags: Biometrics, Smart Cards, Tokens,  Secure User Authentication and Authorization,  User Identities and Provisioning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Biometrics, Smart Cards, Tokens Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Single sign-on system removes password chaos at East Kent NHS Trust Will physical security integrators work with IT departments? Chip and PIN adoption serves lesson for U.S. payment industry Visa probes tokens, encryption for PCI card data protection Strong authentication methods, voice recognition systems make comeback Security on a budget: How to make the most of authentication tools Creating a secure platform for smart card programmers Portable security storage device could replace OTP devices Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Poor privileged account management practices leave security gap User Identities and Provisioning Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Content-aware IAM: Uniting user access and data rights Microsoft Windows 7 DirectAccess pros and cons Schneier-Ranum Face-off: Is perfect access control possible?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) NO2ID  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary