Tokenless two-factor authentication helps council with CoCo compliance

Instead of equipping remote workers with security tokens, a Scottish council has found a cost-effective way of sending authentication codes to its employees' mobile phones.

A Scottish council has found a low-cost way of tightening security for remote workers. Instead of equipping them with special security tokens, it now sends out authentication codes to their employees' mobile phones.

More than 1,000 workers at Dundee City Council have been enrolled into the tokenless two-factor authentication system, which provides them with a second factor of authentication, after username and password, when they log on to the council's VPN.

The system is based on the SecurAccess product from SecurEnvoy Ltd., which sends out a unique access code to each user for him or her to then key in when accessing council systems.

As well as making the connections more secure, the system helps Dundee comply with the requirements laid out in the Code of Connection (CoCo) for local authorities connecting to the Government's Secure Extranet (GSX).

Graeme Quinn, IT team leader at Dundee City Council, said the council wanted to increase security, having relied formerly just on usernames and passwords. He considered a group of token-based products, including those from Vasco Data Security International Inc., but finally opted for SecurEnvoy. "One of the big selling points of SecurEnvoy was that it integrated easily with Active Directory, it was easy to deploy, and it sent out the tokenless two-factor authentication to a mobile phone. So we didn't need any physical tokens to distribute. That was a big plus, certainly," he said.

"SecurEnvoy also supported multiple Active Directories -- we operate across two Active Directories here at the council."

Dundee has adopted VMware for server virtualisation, so SecurAccess runs as a virtual server, with links to the two Active Directories. Users can enroll into the service, which associates them with their AD entry and email address, and asks them to key in their mobile phones' details to enable the codes to be sent to them.

Quinn says that most employees were happy to use their own mobile phones. Where this was not the case, users could choose to have the code delivered either to their personal email address, or to a landline (usually their home number) where the code could be converted to speech.

"There is a good degree of flexibility," Quinn said. "For instance, if you are going to be in a place that has a poor mobile signal, you can have an authentication code sent that lasts a couple of days, or you can have up to three codes sent."

Deployment of SecurAccess was easy, according to the IT team leader. "We just had someone on the end of a phone to talk us through a few things, but apart from that it was not a problem," he said. "We then had to configure the VPN [an SSL VPN from AEP Networks Inc.] to point it at the SecurEnvoy server, and that was it."

Staff training and enrolment was equally trouble-free. "There was some preparation to make people aware of the changes that were happening. And we made sure there were some key people in departments who were up to speed to answer questions," he said. "But the only thing that's changed is that they get an extra box on the screen when they sign in. Inevitably, there was the odd problem with people mis-keying their mobile numbers, for instance, but on the whole it was pretty easy."

Read more on Identity and access management products