CfBT saves with tokenless authentication
Date: Aug 7, 2013
Guest post: SecurEnvoy.
Not-for-profit organisation switches to tokenless authentication and saves around 30,000 euros
Providing employees with remote access secured only by a user name and password? The non-profit organisation CfBT Education Trust decided that such an approach was no longer secure enough, so the technology specialists installed SecurAccess developed by SecurEnvoy, a software that enables tokenless authentication via mobile devices.
Using this method, staff can now securely identify themselves when logging in from a home office or when travelling – which has led to savings of 30,000 euros compared to the use of a token-based solution.
CfBT Education Trust utilises SecurAccess in order to allow user authentication via mobile telephones.
The CfBT Education Trust is a charity organisation for educational counselling and related services which was founded in 1968 in Reading (UK). It makes educational initiatives accessible to the public, both in England and internationally. Currently, approximately 2,500 people are employed by CfBT around the world, with these providing support, teaching, instruction, training and research relating to educational reforms. The organisation works with individuals and groups. The profiles of the employees are as varied as the target groups; some work exclusively from home, and others are in the office on an irregular basis or are often travelling as part of their work. Logging in to the remote access portal previously required the use of a username and a password. However, those responsible decided that this approach was no longer sufficient in terms of security – they wished for a method for ensuring unambiguous identification of users.
Two factors provide twice as much security
While looking for new alternatives, the decision makers discovered the two-factor authentication concept. This involves the combination of at least two different parameters, known only to, possessed only by or inseparable from (e.g. a fingerprint) the user. After a dissatisfactory test involving a solution that uses dedicated, physical tokens as the second factor, the decision makers decided to try the SecurAccess solution. Instead of utilising an additional, dedicated token, this approach makes use of mobile phones, which users usually always have with them anyway. The system sends a SMS containing a six-digit passcode to the user’s mobile phone. This can be used to log in together with the user’s personal login information. CfBT has had the solution configured so that users receive either a pre-loaded code that updates itself automatically after input, or alternatively a single message containing three codes. The latter method ensures secure authentication even in areas with poor or no mobile phone reception.
Praise for “tokenless concept”
At the start of the project, CfBT tested SecurAccess in small pilot groups. The group participants quickly accepted the system and were able to use it without complications. And after expansion of the system usage, these initial test pilots were able to help new users with any questions and problems. New users can be added by the IT team (also remotely) within just a few hours. By using mobile phones as tokens, CfBT also avoided hidden costs that would inevitably have arisen for management and maintenance tasks relating to the additionally acquired physical tokens.
“SecurAccess really convinced us of the benefits of using mobile phones as authentication tools,” comments David Roy, Technical Solutions Manager at CfBT Education Trust. “Users usually carry their phones with them anyway, and even if someone forgets their mobile phone we can set up a temporary token that is valid for a day or a week. The same approach applies, for example, if users cannot use a mobile phone when abroad or if there is no mobile phone reception. Compared to the implementation of a token-based solution, we have made savings of about 30,000 euros and have also been able to connect more users to the system.”