The P&A Group is an employee benefits firm that helps employers manage employee retirement accounts, flex spending programs and 401K data. For P&A, protecting their clients’ employee data is mission critical and adding two-factor authentication was a necessity.
“We have 2 million participants, and if someone takes our customer database we’re out of business,” says Greg Zillox, director of IT Services at the P&A Group. The company was aware of the array of modern threats and wanted to take steps to prevent a data breach.
Adding to the complexity is that many of P&A’s employees work remotely. “We have a lot of people in the field and a lot who work remotely, and they all use different devices for logging into the VPN,” Zillox says.
With breaches rampant and hackers always trying to find a way in, Zillox has concerns. “If you’re a sales guy or IT guy working remotely and you get a key logger program what are you going to do?” he asks. “Hackers will be able to login to our system and cruise the database.”
Conversations with P&A’s disaster recovery provider led the company to two-factor authentication and SMS Passcode, Zillox explains. After an employee enters a user name and password into the VPN, SMS Passcode sends the employee a five-digit code to their mobile device. If the employee doesn’t enter that code in 45 seconds, an email is sent with the code in case they don’t have the mobile.
Some complain that these text messaging and email based code solutions aren’t foolproof. Mobile numbers can be spoofed, text messages rerouted and key loggers can capture codes to be used to gain access.
P&A knows about these concerns and performed its own test to see if this is possible. Using two different laptops, two different people tried logging in with the same username, password and code but only the individual who initiated the session was able to gain access, Zillox says. SMS Passcode ties each two-factor authentication code to a unique session ID so that even if someone else has all the correct data they still won’t be able to gain access.
P&A hosts the entire SMS Passcode system on premises, Zillox says. Because of the sensitivity of the data it stores the company didn’t want to outsource any of the systems.
For more than a year, the company has been using the two-factor authentication system with 55 employees without any problems, Zillox says. In the future, they will be using it for password resets as well so employees don’t have to contact IT if they forget a password.
SMS Passcode has more than 10,000 clients around the world, says Henrik Jeberg managing director at the company. While P&A Group opted to host its own system, SMS Passcode can also provide a cloud-based solution.
Financial services is the fastest segment moving to multi-factor authentication, followed by health care, professional services and local government, Jeberg explains.
The interest often comes from organizations that have a lot of employees on the road. “Basically anything having to do with remote access, lot of VPNs and access to cloud services,” he says.