Campus Cards, College and University Identification and Security

UK college pilots tokenless, two-factor authentication

Thursday, April 4, 2013

The Sheffield College in South Yorkshire, UK — an institution with academic, vocational and work-related programs — is piloting a tokenless, two factor authentication solution for its faculty and staff.

Sheffield services some 20,000 adult and young adult students per year studying on full-time, part-time and short-term bases. Sheffield maintains four main campuses located across the city – Hillsborough College, Norton College, Peaks College and Sheffield City College.

Herein lies the need for a new remote access solution.

Sheffield College staff often work from, and between, the disparate campus locations. Previously, the college used a remote access solution that enabled staff to access their virtual desktops and corporate network while on the move.


The old system used a token-based, two-factor authentication platform, which required the provisioning of a new token each time a staff member needed access, or a token was lost or stolen. This method of replacing and issuing new tokens proved not only costly for the college, but time consuming and a drain on administrative resources as well.

When the college was faced with a recent maintenance overhaul, administrators made the decision to implement a new tokenless two-factor authentication system. The college was already in the process of updating its remote access solution to VMware View VDI, so the new authentication solution had to be integrated with VMware’s latest version, View 5.1.

The solution

With the consultation of Nviron, a Microsoft accredited provider of IT solutions, Sheffield decided to pilot Swivel Secure on a two-month, no commitment basis. The Swivel authentication platform uses its PINsafe protocol to generate a one-time-code (OTC) each time a user logs in; ensuring a level of presence and security that only allows authorized users to access the college’s corporate network.

To aid in Sheffield’s rollout, Swivel affords its clients a variety of implementation methods. Sheffield elected for a combination of the mobile app, SMS and email, then enabled staff to select the method most convenient to them.

How it works

The one-time-code, PINsafe process works by combining a chosen, registered employee PIN with 10-digit security strings that are sent to the user via their chosen deployment option — email, SMS, etc. In the same vein as a decoder pin, the employee uses their personal 4-digit PIN to work out the unique one-time-code.

So to clarify, the user selects a four digit PIN — ‘1370’ for example — with each digit corresponding to a specific numerical place in the 10-digit security string. The number 1 corresponds to the first digit in the security string, three corresponds to the third digit, seven to the seventh with the number ‘0’ used to represent the tenth digit in the security string.

To obtain their OTC, the user will receive a message containing a 10-digit security string, and using their PIN would essentially decode their one-time access credential.

The thought is that this method positions the end user at the heart of the authentication process because it requires them to be physically present at the time of login. It’s this feature that sets Swivel apart from other tokenless solutions and ensures that user PINs cannot be compromised by threats like phishing, key logging, man-in-the-middle and shoulder surfing attacks.

Sheffield College has revealed the following reasons for adopting Swivel:

  • Lower total cost of ownership as 
compared to other tokenless and token-based 2FA solutions.
  • Flexible and scalable 
platform that allows for simple 
tailoring to individual needs.
  • Simple integration with the Sheffield’s new 
remote access solution, VMware View VDI.
  • Ease of platform management as compared to the provisioning 
of new tokens.

 [end] 

Identity-as-a-Service platform provider PasswordBank has partnered with SecurEnvoy to add tokenless two-factor authentication to its identity management product.

PasswordBank’s clients will now be able to access cloud applications through a single-sign-on platform. The two-factor authenticating feature will utilize SMS messaging capabilities, eliminating the need for a token.

read more »

NFC deployments on college campuses have struggled to get off the ground, having been foiled by a number of hurdles, including difficulty with gaining access to the secure element within mobile devices. But could host-card emulation provide the key to unlock this puzzling conundrum?

read more »

NFC implementations on campus have been anything but perfect. In fact, between the fractured nature of NFC adoption as a technology, the relatively few university-specific NFC pilots and the rejection by Apple, NFC is far from making the grade.

read more »

frustrated of sheffield Permalink
April 5, 2013 3:42 AM

Nice idea, but It is not tokenless, they are replacing a token with a phone/tablet etc. it also requires all secure PIN pads to be networked to the OTP server. BTW is the OTP server and the the network secure? what isthe increased in insatllation costs?

Reply
April 7, 2013 7:12 PM

Not sure how this forces any particular individual to be present - it just requires someone with knowledge of the keys.

Reply
April 8, 2013 12:46 AM

Too cumbersome and will kill user experience... the need of an hour is something which uses multiple channel. is secure and easy to use... dint find any such thing happening with this solutions...

Reply
Comment on this article

Your full name and URL will be displayed with your comment.

Your email is not shown or shared, and is used only for your Gravatar image.




characters left.