authentication method from the company. When the user logs on, the display screen asks if he or she wants to use the token or a second method, based on a cell phone.

If the second method chosen is the cell phone, the user receives a call within a few seconds. The user then enters a memorized PIN on the telephone keypad. This is called "out-of-band" authentication, because the system receives the PIN over a telephone network rather than the Internet or local area network.

Using a PIN alone isn't considered very secure -- a hacker can steal it if it's written down, or may figure it out via social engineering -- however, the company's method adds an extra safety measure by relying on "what you have," Waller said.

The system places a call only to the phone that's registered with the server. So if a hacker were to break into a protected network with a stolen PIN, he would also have to steal the employee's cell phone.

Digital Fingerprint

If Roselle implements software-based tokens in the future to supplement the hardware devices, its network will gain yet a third layer of protection.

When an end-user downloads the token software, ProtectID takes a "hash" of that person's device and stores it on the authentication server. A hash, Waller explained, is a snapshot of the identification numbers -- such as serial numbers and IP addresses -- of several components within the device. The hash uniquely identifies that computer, PDA or cell phone.

"Think of it as a digital fingerprint," he said.

When someone uses the device to remotely log on to the system, the software compares the device with the hash to verify that it's a particular person's machine and no one else's. A nontrusted device cannot access the network.

Along with hardware and software tokens, and cell phone authentication, StrikeForce offers several other ways to control remote access to a network. They include fingerprint readers, iris scanners and smart cards, Waller said.

Because employees use the software to access the municipal network from their desks and remote computers, Naughton asked the company to customize the system to give him a sort of skeleton key to those machines.

"Say a user puts in a request for me to do some work on their computer, they're not in the office that day, and I decide I have time that day to do it," he explained. "For me to log on to that user account, I would need that token."

Now that Roselle employees must present two kinds of authentication, it's considered safe to keep using the same password, so it's no longer mandatory for users to change passwords every 30 days -- a big plus, Naughton said.

Tokens are generally advantageous as a second authentication key, said Naughton. For example, if a vendor's representative needed remote access to Roselle's network to provide upgrades or perform maintenance, Naughton would give the representative a temporary VPN password and read off the ID displayed on the token over the phone. This allows Naughton to monitor the network and give the vendor access only as needed.

"They're not coming [into the network] off-hours without my knowledge," he said, adding that along with those benefits comes the most essential one. "The knowledge that I'm operating a secure network now takes a lot off my mind."

Merrill Douglas  |  Contributing Writer