John Lewis dumps RSA tokens for phones

Article

John Lewis dumps RSA tokens for phones

Ron Condon
High street retailer John Lewis has revamped the way it authenticates remote users, dropping the tokens it has used since the late 1990s, and adopting a system that uses mobile phones.

The company has around 2,500 employees who regularly need to log on to corporate systems from a remote location, and authentication up to now has been done using SecurID tokens from RSA.

The most important benefit of SecurAccess was removing the need to physically distribute tokens for setup, renewal and repairs
Matthew Clements
Principal programmerJohn Lewis
It has now switched to SecureAccess from SecurEnvoy, which communicates directly with the user's mobile phone and sends out a one-time code as an SMS message. John Lewis says the system is easier to administer and less expensive to run, and will now be extended to 12,500 other staff who may only need occasional use of the system.

"The most important benefit of SecurAccess was removing the need to physically distribute tokens for setup, renewal and repairs," said Matthew Clements, a principal programmer at John Lewis. "This obviously resulted in much lower administration costs. Our operations are now streamlined as we have a simple software solution for two factor authentication that back-ends to existing LDAP directories, rather than a disparate proprietary database."

Users logging on through a VPN enter their user name, Windows password, and the six-digit code stored on their mobile phone. As soon as they use the code, another is sent to their phone for their next session. That avoids the problem of them having to wait for an SMS message each time they log on, and also allows them to log on even if they have no signal.

Adam Bruce, UK channel manager for SecurEnvoy, said people tended to look after their phone more than they did with other devices, such as tokens. But if users do lose their phone, he said, SecureAccess provides a self-service helpdesk facility that allows the user to log on to a website, answer a personal question (such as mother's maiden name) and receive a one-time code to enable them to work.

John Lewis awarded the contract last December following an extended pilot programme involving 500 users. Clements said the new system was well received by most users. "It has been working effectively and we have had no problems with the roll out. One good thing is that if people are wary of having their personal mobile number stored, it is actually all encrypted, so the only people who can see their personal details are the administrators," he said.

He added that ease of use has been a prime consideration: "Users also have one less credential to remember as we have chosen to implement Windows passwords as the second factor."

While it would have been uneconomic to give tokens to all staff, SecurEnvoy's ICE (in case of emergency) pricing programme for occasional users has made it possible to extend remote access out to all 15,000 staff. "This now means that we have the option to give it to a wider user base within the business for secure access to our network, even in the event of an emergency," said Clements.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy