Dundee City Council has become the first in Scotland to secure access to its growing VPN using two-factor authentication based on SMS codes sent via mobile phone.

The headline reason for the investment in SecurEnvoy’s SecurAccess system was a desire to comply with the Scottish Government Code of Conduct (CoCo), which specifies minimum security parameters for network access by employees. Previously, Dundee had been securing its VPN through a conventional user name and password setup, now accepted to be inherently insecure.

The council assessed the SecurAccess design for 1,000 users against a rival and unnamed technology based on hardware tokens. What seems to have counted in favour of SecurAccess was its ability to enrol users cheaply and simply via email and manage them using the existing LDAP Active Directory database without the need to create a new parallel store of user data.

After enrolment, staff now access the council’s VPN by receiving six-digit passcodes on their phones, which they use in conjunction with their old user name and password fields. The codes can only be used once per login. Because access is entirely electronic, there are no physical tokens to be lost.

“We were looking to enhance our VPN security, and liked the easy process for accessing our network safely via SMS,” said Graeme Quinn, IT head at Dundee City Council. “Nearly everyone these days has a mobile phone, so this limited overall costs. We thought SecurAccess would be a quick, easy solution to combat the security issues around remote access.”

The council was considering increasing the number of licenses in future as the need for remote access expands from its already significant base. The council currently has around 7,500 employees spread across 265 sites, so the adoption of two-factor authentication affects a significant percentage of its frontline staff.

Might budget cuts in future years affect the ability of public sector organisations to adopt such technology, especially councils coping with rate capping?

“I think security is not going away,” mulls SecurEnvoy’s Adam Bruce, who brokered the deal with the Council. Budgets will be reduced but technologies such as ours will gain market share.” According to Bruce, hardware tokens will die off, killed by their higher cost and complexity.

Dundee City Council is the first to use the SecurEnvoy’s system in Scotland, but at least one other major council in the country is believed to be looking to roll out the system in the near future. In England, SecurAccess SMS tokens are already used by a number of councils, including Hertfordshire, Cambridge and Peterborough.