Swedish truck maker Scania is replacing hardware-based
two-factor authentication from RSA with a software-based system in
a bid to reduce costs.
The company is replacing 2,500 RSA SecureID hardware tokens with
Java software that runs on mobile phones to eliminate the cost of
distributing the hardware tokens to end-users.
Two-factor authentication offers a more secure log-in process than
user name and password alone. A common approach is to use a small
electronic hardware token that displays a unique number, or key,
each time it is used.
The user logs into a corporate IT system using a combination of
user name, password and this key. But being a physical device, it
can be lost or broken. The RSA token also has a fixed life because
it is a sealed unit and users cannot replace the battery when it
dies.
Bo PalmBlad, IT manager at Scania said, "We needed to change tokens
every three to four years." Scania was incurring costs each time a
battery ran out and the operation was "tough to administer", he
added.
Now, as the RSA tokens expire, PalmBlad is providing users with a
software token called Secure Application Access, supplied by
network security firm Portwise.
Built into the Portwise 4.0 platform, Secure Application Access
allows users to run a Java application on their mobile phones which
provides a security key. They type this in along with a user name
and password to log in to Scania's IT systems.
Two-factor authentication is expected to become more widely used as
IT directors look to strengthen the inherent weakness of
password-based single-factor authentication.
Any software-based approach will be less secure than a
hardware-based alternative because it could be vulnerable to
viruses.
John Meakin, global head of information security at Standard
Chartered Bank, which has deployed RSA SecureID tokens, said users
need to weigh up the risk. "By moving away from passwords to
two-factor authentication, it may be acceptable to take a bigger
risk as overall security is improved," he said.
RSA business development director John Madelin said, "When you
deploy hardware tokens there is an acquisition and deployment cost.
With every customer we look at size, structure and how
authentication is used strategically."