Implementing Cellular Authentication Token for Strong Authentication

(06/09/2007)

Leigh Mardon NZ is the leading Credit Card Manufacturer and Security Printer in New Zealand and a major trusted supplier to the trading banks, finance companies and credit unions for their cards and cheques. Leigh-Mardon’s sales force is distributed across the country where each sales person has a responsibility to a specific area and/or group of clients.

The sales tasks require frequent communication with Leigh-Mardon central server to receive and forward Emails and documents. Each sales person has their own company Email address. Dealing with highly secured information and server, the regular OWA access was deemed not secure enough and a solution was required. Leigh-Mardon was looking for a secure, affordable and easy to use solution.

Leigh-Mardon has decided to take a pragmatic approach to selecting the security enabler. It was recognized that the market standard for strong authentication is TFA OTP tools and a list of requirements was prepared based on the immediate needs and projected growth plans.

The requirements were:
- Full OWA integration capability
- TFA OTP token with time based algorithm to reduce the “phishing” risk
- Take into account possible extension of the security to other areas such as additional servers and services
- Ease of use
- Initial implementation cost, hidden costs and ongoing costs
- Tokens management overheads
- Support
- Maintenance and token replacement
- Product performance
- Ability to customize

After checking the available solutions in the market the CAT soft token was selected as the optimal performing option. The main reasons were:
- Ease of management
- The token is downloaded from the Internet so easy to distribute to users
- Users are generally very aware of the location of their cell phone
- The one-time-password is protected by a pin
- Multiple OTP accounts on the one device.
- Cost: the longer term costs of CAT are lower than other products

The CAT installation is a straightforward process on the OWA Server as well as on the Cellular phones. About 90 % of the cell phones at Leigh-Mardon supported CAT. The remainder have been upgraded or replaced through the cell phone provider upgrade programs.

Initial issues regarding cell phone time synchronization on some phones were dealt with by enabling cellular network time synchronization and the CAT tokens have achieved a 100 % performance level.

The main indexes for success:
- The easy process of acceptance of the CAT by the different users – there were no cases where the token was forgotten or unavailable, no misunderstandings and operating problems
- There is virtually no possibility of identity theft.
- There is a requirement to extend the CAT to protect other services such as Data Transfer facilities used by Leigh-Mardon and other customer related services.

It is most important to have the organization ready for assimilation of new technology. In the case of integrating CAT into the existing OWA service, the implementation went faster than planned and while some of the sales people were setup early, others had to wait for cell phone upgrade and CAT installation.

Initially it was decided that the systems administrator would install the CAT on each sales person’s cell phone. That meant that the sales person had to bring the cell phone to the administrator and wait for the installation. It was soon identified that the CAT download instruction could be forwarded to cell phone using a single SMS and the end user could download the application onto the cell phone and setup themselves. This eliminated the need for sales people to come into the office to get them up and running on CAT.

Related topics:  Authentication and identity management   Building access control system   Computer and PC Security   Data management and data security   Internet and Web security   Mobile and Wireless Security   Network Security   Security management and policies   Security threats and vulnerabilities   VPN   White papers 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources