Invensys runs a global infrastructure services division and is deploying soft tokens to save time and the expense of operating a physical token infrastructure. One drawback of using physical tokens Invensys faced was the recurring issue of users not always having the physical token with them when remotely connecting.
The rollout, covering up to 150,000 users, will save Invensys £546,000 ($900,000), given that each soft token is £3.64 ($6) cheaper than a physical token, according to David van Rooyen, Invensys principal solutions architect.
"Provisioning a physical token for one of our users takes around 10 days. Compare that with provisioning a soft token - which takes five minutes - the man-hour reduction is vast. However, even more than the man-hour savings, there's also the cost of the physical tokens and shipping them out. I've completed a full business analysis and the results are quite staggering - $8 per person per month for a physical token against just $2 per person per month for a soft token. When you replicate that across 15-20,000 users, the savings are in the millions."
SecurAccess was first deployed at Invensys Rail, with a further 100 users piloting the first migration stage. Using the feedback from this pilot, Invensys has extended the service to 150 users at Invensys Controls and another 550 users at Invensys Operations Management. In April, the company decided to rollout SecurAccess to 150,000 users.
"In the last twelve months I've been evaluating all of our global remote access options to bring them together as one system and architecture. With a mix of single-factor authentication, physical token two-factor authentication and soft token two-factor authentication across the various divisions and businesses, you could say we've had the opportunity to trial all available options and make an informed choice. Three months ago the decision was taken to extend SecurAccess beyond Invensys Rail into other areas of the business," said David van Rooyen.
According to van Rooyen, by rolling out SecurAccess in phases, Invensys has been able to develop greater understanding of the process, how users react to the change in working practice and identify sticking points that keep recurring.
"In our experience it's been more about user education and communication as opposed to the challenge of actually migrating users across," said van Rooyen.
The rollout involves sending complete manuals - one explaining the registration process and the other explaining the remote authentication steps - to each user, through a carefully worded e-mail. Van Rooyen added: "With each new roll-out we've been able to hone the message that users receive that clarifies exactly what's happening, when and what we need them to do. Any element of the message that has caused confusion previously is corrected.
Adam Bruce, UK and Ireland channel manager at SecurEnvoy, says SecurAccess uses the Windows Active Directory for user authentication, unlike some systems, which use a separate database. "We offer direct LDAP integration. We store all the user and login information."
He says that historically, most two-factor authentication systems stored user login details in a separate database, which needed to be synchronised with Windows Active Directory. "This can get complex, especially in a situation where there are multiple network domains."
Instead, SecurAccess uses redundant fields in the Active Directory - namely the telex and other fields - to store a user's login information. For authentication to work, the users' phone numbers need to be stored in the Active Directory. If the number is not present, SecureAccess' deployment wizard software sends an e-mail to the user with a request to provide a mobile number.
To login, a user enters a username and password and enters a code contained in an SMS message, which is provided via a secure web-based SMS gateway from the SecurAccess software.
Invensys has a few users who experience poor mobile reception at home or other locations. Such users are able to receive the code via e-mail.