Employee benefits firm adopts two-factor authentication
07 March, 2016
category: Corporate, Digital ID, Financial
The P&A Group is an employee benefits firm that helps employers manage employee retirement accounts, flex spending programs and 401K data. For P&A, protecting their clients’ employee data is mission critical and adding two-factor authentication was a necessity.
“We have 2 million participants, and if someone takes our customer database we’re out of business,” says Greg Zillox, director of IT Services at the P&A Group. The company was aware of the array of modern threats and wanted to take steps to prevent a data breach.
Adding to the complexity is that many of P&A’s employees work remotely. “We have a lot of people in the field and a lot who work remotely, and they all use different devices for logging into the VPN,” Zillox says.
With breaches rampant and hackers always trying to find a way in, Zillox has concerns. “If you’re a sales guy or IT guy working remotely and you get a key logger program what are you going to do?” he asks. “Hackers will be able to login to our system and cruise the database.”
Two-thirds of enterprises going multi-factor
With close to two-thirds of responding companies having suffered a data breach in 2015, 95% reported they would increase cybersecurity spending in the next year. Enterprises are also ramping up authentication procedures with 66% moving beyond user names and passwords. These are results of a survey of 300 IT professional conducted by Wakefield Research sponsored by SecureAuth Corp.
Of the companies planning to increase cybersecurity spending, 44% will do so by 20% or more. Some of that increase will go towards identity management and authentication. Recent breaches have shown that user names and passwords aren’t sufficient. This assessment is backed up by the survey results, as two-thirds of respondents will leverage stronger authentication methods.
Respondents say that passwords are on their way out, and 91% of cybersecurity professionals agree that the traditional password will not exist in ten years. But the move to new authentication technologies isn’t easy and there is still some confusion in the market. Eight of ten cybersecurity professionals think new authentication methods are prohibitive because they require the latest technology and most up-to-date software.
Regardless of the challenges, a overwhelming 97% of respondents say new authentication techniques – such as biometrics and two-factor authentication – are reliable.
Conversations with P&A’s disaster recovery provider led the company to two-factor authentication and SMS Passcode, Zillox explains. After an employee enters a user name and password into the VPN, SMS Passcode sends the employee a five-digit code to their mobile device. If the employee doesn’t enter that code in 45 seconds, an email is sent with the code in case they don’t have the mobile.
Some complain that these text messaging and email based code solutions aren’t foolproof. Mobile numbers can be spoofed, text messages rerouted and key loggers can capture codes to be used to gain access.
P&A knows about these concerns and performed its own test to see if this is possible. Using two different laptops, two different people tried logging in with the same username, password and code but only the individual who initiated the session was able to gain access, Zillox says. SMS Passcode ties each two-factor authentication code to a unique session ID so that even if someone else has all the correct data they still won’t be able to gain access.
P&A hosts the entire SMS Passcode system on premises, Zillox says. Because of the sensitivity of the data it stores the company didn’t want to outsource any of the systems.
For more than a year, the company has been using the two-factor authentication system with 55 employees without any problems, Zillox says. In the future, they will be using it for password resets as well so employees don’t have to contact IT if they forget a password.
SMS Passcode has more than 10,000 clients around the world, says Henrik Jeberg managing director at the company. While P&A Group opted to host its own system, SMS Passcode can also provide a cloud-based solution.
Financial services is the fastest segment moving to multi-factor authentication, followed by health care, professional services and local government, Jeberg explains.
The interest often comes from organizations that have a lot of employees on the road. “Basically anything having to do with remote access, lot of VPNs and access to cloud services,” he says.
