UK college pilots tokenless, two-factor authentication
04 April, 2013
category: Education, Mobile, SecureIDNews, Security
The Sheffield College in South Yorkshire, UK — an institution with academic, vocational and work-related programs — is piloting a tokenless, two factor authentication solution for its faculty and staff.
Sheffield services some 20,000 adult and young adult students per year studying on full-time, part-time and short-term bases. Sheffield maintains four main campuses located across the city – Hillsborough College, Norton College, Peaks College and Sheffield City College.
Herein lies the need for a new remote access solution.
Sheffield College staff often work from, and between, the disparate campus locations. Previously, the college used a remote access solution that enabled staff to access their virtual desktops and corporate network while on the move.
The old system used a token-based, two-factor authentication platform, which required the provisioning of a new token each time a staff member needed access, or a token was lost or stolen. This method of replacing and issuing new tokens proved not only costly for the college, but time consuming and a drain on administrative resources as well.
When the college was faced with a recent maintenance overhaul, administrators made the decision to implement a new tokenless two-factor authentication system. The college was already in the process of updating its remote access solution to VMware View VDI, so the new authentication solution had to be integrated with VMware’s latest version, View 5.1.
The solution
With the consultation of Nviron, a Microsoft accredited provider of IT solutions, Sheffield decided to pilot Swivel Secure on a two-month, no commitment basis. The Swivel authentication platform uses its PINsafe protocol to generate a one-time-code (OTC) each time a user logs in; ensuring a level of presence and security that only allows authorized users to access the college’s corporate network.
To aid in Sheffield’s rollout, Swivel affords its clients a variety of implementation methods. Sheffield elected for a combination of the mobile app, SMS and email, then enabled staff to select the method most convenient to them.
How it works
The one-time-code, PINsafe process works by combining a chosen, registered employee PIN with 10-digit security strings that are sent to the user via their chosen deployment option — email, SMS, etc. In the same vein as a decoder pin, the employee uses their personal 4-digit PIN to work out the unique one-time-code.
So to clarify, the user selects a four digit PIN — ‘1370’ for example — with each digit corresponding to a specific numerical place in the 10-digit security string. The number 1 corresponds to the first digit in the security string, three corresponds to the third digit, seven to the seventh with the number ‘0’ used to represent the tenth digit in the security string.
To obtain their OTC, the user will receive a message containing a 10-digit security string, and using their PIN would essentially decode their one-time access credential.
The thought is that this method positions the end user at the heart of the authentication process because it requires them to be physically present at the time of login. It’s this feature that sets Swivel apart from other tokenless solutions and ensures that user PINs cannot be compromised by threats like phishing, key logging, man-in-the-middle and shoulder surfing attacks.
Sheffield College has revealed the following reasons for adopting Swivel:
- Lower total cost of ownership as compared to other tokenless and token-based 2FA solutions.
- Flexible and scalable platform that allows for simple tailoring to individual needs.
- Simple integration with the Sheffield’s new remote access solution, VMware View VDI.
- Ease of platform management as compared to the provisioning of new tokens.
