Campus Cards, College and University Identification and Security

UK college pilots tokenless, two-factor authentication

Thursday, April 4, 2013

The Sheffield College in South Yorkshire, UK — an institution with academic, vocational and work-related programs — is piloting a tokenless, two factor authentication solution for its faculty and staff.

Sheffield services some 20,000 adult and young adult students per year studying on full-time, part-time and short-term bases. Sheffield maintains four main campuses located across the city – Hillsborough College, Norton College, Peaks College and Sheffield City College.

Herein lies the need for a new remote access solution.

Sheffield College staff often work from, and between, the disparate campus locations. Previously, the college used a remote access solution that enabled staff to access their virtual desktops and corporate network while on the move.

The old system used a token-based, two-factor authentication platform, which required the provisioning of a new token each time a staff member needed access, or a token was lost or stolen. This method of replacing and issuing new tokens proved not only costly for the college, but time consuming and a drain on administrative resources as well.

When the college was faced with a recent maintenance overhaul, administrators made the decision to implement a new tokenless two-factor authentication system. The college was already in the process of updating its remote access solution to VMware View VDI, so the new authentication solution had to be integrated with VMware’s latest version, View 5.1.

The solution

With the consultation of Nviron, a Microsoft accredited provider of IT solutions, Sheffield decided to pilot Swivel Secure on a two-month, no commitment basis. The Swivel authentication platform uses its PINsafe protocol to generate a one-time-code (OTC) each time a user logs in; ensuring a level of presence and security that only allows authorized users to access the college’s corporate network.

To aid in Sheffield’s rollout, Swivel affords its clients a variety of implementation methods. Sheffield elected for a combination of the mobile app, SMS and email, then enabled staff to select the method most convenient to them.

How it works

The one-time-code, PINsafe process works by combining a chosen, registered employee PIN with 10-digit security strings that are sent to the user via their chosen deployment option — email, SMS, etc. In the same vein as a decoder pin, the employee uses their personal 4-digit PIN to work out the unique one-time-code.

So to clarify, the user selects a four digit PIN — ‘1370’ for example — with each digit corresponding to a specific numerical place in the 10-digit security string. The number 1 corresponds to the first digit in the security string, three corresponds to the third digit, seven to the seventh with the number ‘0’ used to represent the tenth digit in the security string.

To obtain their OTC, the user will receive a message containing a 10-digit security string, and using their PIN would essentially decode their one-time access credential.

The thought is that this method positions the end user at the heart of the authentication process because it requires them to be physically present at the time of login. It’s this feature that sets Swivel apart from other tokenless solutions and ensures that user PINs cannot be compromised by threats like phishing, key logging, man-in-the-middle and shoulder surfing attacks.

Sheffield College has revealed the following reasons for adopting Swivel:

  • Lower total cost of ownership as 
compared to other tokenless and token-based 2FA solutions.
  • Flexible and scalable 
platform that allows for simple 
tailoring to individual needs.
  • Simple integration with the Sheffield’s new 
remote access solution, VMware View VDI.
  • Ease of platform management as compared to the provisioning 
of new tokens.


Apple’s recent iPhone 6 launch was a big deal for tech junkies the world over, but could this latest iPhone release redefine the campus card as we know it? Could the iPhone 6 actually replace the ID card altogether?

read more »

College students are cash strapped at the best of times, but they’re also incredibly tech savvy and willing to try new things. At least that’s the idea of Vancouver-based tech company nTrust.

read more »

frustrated of sheffield Permalink
April 5, 2013 3:42 AM

Nice idea, but It is not tokenless, they are replacing a token with a phone/tablet etc. it also requires all secure PIN pads to be networked to the OTP server. BTW is the OTP server and the the network secure? what isthe increased in insatllation costs?

April 7, 2013 7:12 PM

Not sure how this forces any particular individual to be present - it just requires someone with knowledge of the keys.

April 8, 2013 12:46 AM

Too cumbersome and will kill user experience... the need of an hour is something which uses multiple channel. is secure and easy to use... dint find any such thing happening with this solutions...

Comment on this article

Your full name and URL will be displayed with your comment.

Your email is not shown or shared, and is used only for your Gravatar image.

characters left.