The company has around 2,500 employees who regularly need to log on to corporate systems from a remote location, and authentication up to now has been done using SecurID tokens from RSA.
"The most important benefit of SecurAccess was removing the need to physically distribute tokens for setup, renewal and repairs," said Matthew Clements, a principal programmer at John Lewis. "This obviously resulted in much lower administration costs. Our operations are now streamlined as we have a simple software solution for two factor authentication that back-ends to existing LDAP directories, rather than a disparate proprietary database."
Users logging on through a VPN enter their user name, Windows password, and the six-digit code stored on their mobile phone. As soon as they use the code, another is sent to their phone for their next session. That avoids the problem of them having to wait for an SMS message each time they log on, and also allows them to log on even if they have no signal.
Adam Bruce, UK channel manager for SecurEnvoy, said people tended to look after their phone more than they did with other devices, such as tokens. But if users do lose their phone, he said, SecureAccess provides a self-service helpdesk facility that allows the user to log on to a website, answer a personal question (such as mother's maiden name) and receive a one-time code to enable them to work.
John Lewis awarded the contract last December following an extended pilot programme involving 500 users. Clements said the new system was well received by most users. "It has been working effectively and we have had no problems with the roll out. One good thing is that if people are wary of having their personal mobile number stored, it is actually all encrypted, so the only people who can see their personal details are the administrators," he said.
He added that ease of use has been a prime consideration: "Users also have one less credential to remember as we have chosen to implement Windows passwords as the second factor."
While it would have been uneconomic to give tokens to all staff, SecurEnvoy's ICE (in case of emergency) pricing programme for occasional users has made it possible to extend remote access out to all 15,000 staff. "This now means that we have the option to give it to a wider user base within the business for secure access to our network, even in the event of an emergency," said Clements.