The company is replacing 2,500 RSA SecureID hardware tokens with Java software that runs on mobile phones to eliminate the cost of distributing the hardware tokens to end-users.
Two-factor authentication offers a more secure log-in process than user name and password alone. A common approach is to use a small electronic hardware token that displays a unique number, or key, each time it is used.
The user logs into a corporate IT system using a combination of user name, password and this key. But being a physical device, it can be lost or broken. The RSA token also has a fixed life because it is a sealed unit and users cannot replace the battery when it dies.
Bo PalmBlad, IT manager at Scania said, "We needed to change tokens every three to four years." Scania was incurring costs each time a battery ran out and the operation was "tough to administer", he added.
Now, as the RSA tokens expire, PalmBlad is providing users with a software token called Secure Application Access, supplied by network security firm Portwise.
Built into the Portwise 4.0 platform, Secure Application Access allows users to run a Java application on their mobile phones which provides a security key. They type this in along with a user name and password to log in to Scania's IT systems.
Two-factor authentication is expected to become more widely used as IT directors look to strengthen the inherent weakness of password-based single-factor authentication.
Any software-based approach will be less secure than a hardware-based alternative because it could be vulnerable to viruses.
John Meakin, global head of information security at Standard Chartered Bank, which has deployed RSA SecureID tokens, said users need to weigh up the risk. "By moving away from passwords to two-factor authentication, it may be acceptable to take a bigger risk as overall security is improved," he said.
RSA business development director John Madelin said, "When you deploy hardware tokens there is an acquisition and deployment cost. With every customer we look at size, structure and how authentication is used strategically."