With users struggling to remember the complex and frequently changing passwords that were required to access Ofqual systems, an evaluation team successfully implemented two-factor authentication using Windows 10 and Windows Hello technologies. BitLocker Network Unlock is also now being deployed across all of Ofqual, resulting in faster logins, happier users and more secure devices and networks.
The problems with passwords
Ofqual (the Office of Qualifications and Examinations Regulation) regulates GCSEs, A levels, vocational qualifications and national assessments for England. Having gained a place on the NCSC's ‘Secure by Default’ Partnership Programme, we were looking to apply new technologies to improve usability and security by unlocking the potential of Windows 10.
In the old system, the Ofqual network and services were accessed via username/password credentials. Ofqual’s password policy stipulated the need for complex passwords that could not be easily broken. However, this increased the number of users adopting insecure workarounds (such as writing passwords down) as they struggled to remember complex and frequently changing passwords.
Hello, two-factor authentication!
Our aim was to provide Ofqual users with improved security using alternatives to passwords. This would remove the need for insecure workarounds, and also improve the user experience.
With these goals in mind, the team evaluated a number of technologies. These included:
- BitLocker network unlock
- USB fingerprint readers
- PIN with two-factor authentication
- two-factor authentication using external readers
- facial recognition
The team chose BitLocker Network Unlock and Windows Hello using PIN, backed by the Trusted Platform Model (TPM), as these technologies were preferred by the test users. They found remembering a PIN easier than remembering a password.
BitLocker Network Unlock
Network Unlock in Windows 10 allows a user to access a device with an automatic unlock when connected to the Ofqual LAN, although it is not enabled on wireless devices.
Network Unlock allows a BitLocker-enabled device to be unlocked without the need of entering the BitLocker PIN at boot. This means if a user loses their laptop, Network Unlock is not enabled outside the Ofqual LAN.
Applying the NCSC’s password guidance
BitLocker Network Unlock is now being deployed across all of Ofqual, and Windows Hello allows users to login using a PIN, as opposed to the traditional username/password. This helps to prevent users adopting insecure workarounds.
As recommended by the latest NCSC guidance, Ofqual no longer force users to change passwords every 90 days. This is supported by random monthly testing of passwords as part of an internal IT health check that ensures users’ passwords are sufficiently complex but still memorable.
“The PIN is a great timesaver. Passwords are increasingly complex these days and consequently time consuming to type. The PIN simplifies logging on in the morning and also unlocking the computer during the day. A simple thing, but it does make life easier.”
Senior Manager, Ofqual Data Centre
During the evaluation, Ofqual also applied for public service network (PSN) accreditation. Two separate IT health checks found no issues with the overall approach.
Faster logins, happier users
BitLocker Network Unlock has proved very popular with users, as has TPM + PIN as a username/password alternative. Login time has been reduced by up to 20 seconds, and it’s delivered two-factor authentication to improve device and network security. Users have faster access to IT which has enhanced their perception of IT’s reliability, security and ease of use.
Furthermore, passwords are now more memorable and more secure without users resorting to coping strategies. At the last IT health check, no passwords in the samples taken were broken.
The number of user lockouts and password resets have also reduced, allowing the IT team more time to focus on delivering improvements. When their passwords are needed, some users forget and require a password reset, but this is more than outweighed by the benefits provided by this new approach.
Find out more