From socks to jets: how the MoD authenticates online sellers of military surplus

The agency generates a return of more than £700m each year through its activities.

The DSA wanted to extend its conventional sales channels by introducing an online transactional portal – eDisposals.com – that would bring together fully-vetted contractors, charged with the resale of surplus stock, and buyers. These are typically members of the public and other interested parties around the world.

The nature of the MoD's business meant that security had to be at the very heart of the solution. Never before had a transactional database been hosted outside the MoD's internal restricted network. It was therefore important that any solution had to conform to ISO27001 – the international standard for information security management systems.

In order to satisfy these extremely high security standards, the DSA decided to deploy a two-factor authentication (2FA) solution. 2FA helps control access to sensitive data by relying on both something the user knows – such as a password – and also something they have, which is hard to steal or counterfeit. Initially, all contractors were required to use a one-time password (OTP), generated for every log in by a physical token, before they could upload stock information to the site. An OTP provides an additional layer of security at the log in stage as it is generated randomly, communicated independently and, as its name suggests, cannot be reused.

Following the success of this deployment, the DSA identified the importance of providing a 2FA option for the entire 6,000 plus user base – contractors and buyers. As tokens can be expensive to deploy and support, alternative cheaper and simpler 2FA delivery mechanisms were examined.

As a result, the DSA selected Celo – a tokenless 2FA system from Commerce Media which sends an OTP to the user via a choice of methods including secure email, instant message and SMS text messaging to a user's mobile phone. The solution was chosen because it was cost-effective, quick and simple to deploy without the need for additional software or hardware, easy to manage and adaptable to future changes in user numbers (from one to more than one hundred thousand). Most importantly, Celo provided robust security for all users logging onto the website over and above a standard ‘name and password' procedure that could be more easily subverted.

In particular, the ability to deliver an OTP to a user's mobile phone has proved a highly convenient and simple way for users to log on securely. Unlike a token, users rarely forget to carry their mobile phone with them and they are familiar and easy to use. Moreover, by providing strong authentication for its users, the DSA has demonstrated that it takes the protection of personal data seriously and has put steps in place to protect it fully.

A continuous cycle of independent third party testing has confirmed that eDisposals.com complies with the high standards set by independent accreditation body, the Defence Security Standards Organisation. In addition, Commerce Media is fully accredited to the ISO27001 international standard.

In Celo, Commerce Media has provided the DSA with a simple yet highly practical solution that gives the organisation confidence that its systems remain protected against unwarranted intrusion. The product has been employed successfully by the DSA since January 2007 and Commerce's Media's contract with the DSA is ongoing.

Related links to this article:
Disposal Services Authority
Commerce Media