Faced with a frustrating and unreliable login process, selected staff at the Judicial Appointments Commission (JAC) formed part of a trial project to test a new authentication system incorporating Windows 10 and Windows Hello technologies. Under the new system, users are authenticated with a single BitLocker PIN, then biometrically with Fingerprint ID, reducing login times and transforming the user experience.
Time consuming and unreliable logins
The Judicial Appointments Commission is an independent arms-length body funded by the Ministry of Justice. Based in our office in London, we currently have 50 staff along with 50 part-time panellists who support our 15 Commissioners to make recommendations for judicial posts in England and Wales.
Our staff and panel members find the IT system frustrating at times. Logging into the system can somtimes require up to 4 separate passwords to be entered when logging in remotely. Some staff have taken up to 30 minutes before accessing all their required services. To add to the frustration, users were frequently forced to restart their machines and the entire login process.
Windows 10 and Windows Hello
Having gained a place on the NCSC's Secure by Default Partnership Programme, we had an opportunity to explore an independent cloud-hosted network using Windows 10 and Windows Hello technologies. The aim was to improve the speed of logging on, and the overall user experience. We also wanted to explore alternative ways of accessing our business applications via a VPN.
With these goals in mind, the team decided to conduct a pilot scheme with a small number of users. This would provide a solid proof of concept, and allow us to plan and cost any further deployments across the entire organisation.
Based on user requirements, we sourced and selected appropriate devices; Windows Surface Pro 4s and Lenovo X60s, which both have fingerprint ID capability to allow users to sign in with a single biometric gesture.
The devices came with Windows 10 as standard, and we then enabled Windows Hello, following recommended NCSC guidance for the configuration of Windows 10, including features such as installing BitLocker on the local device.
Device configuration and setup
As far as possible, devices were configured and managed by Microsoft Intune, Microsoft’s mobile device management solution. The most challenging aspect was securing devices without too much local policy deployment.
The SIRO (Senior Information Risk Owner) was satisfied that Intune could deliver enough policy (as well as being content to accept the risk of using local policies) as we believe Microsoft are working to deliver greater functionality from Intune for cloud-only deployments. Should the local policy fail, the device met a good baseline security level.
A new VPN was created within our existing hosting platform to enable connectivity to a key business system from the new devices.
The solution relied upon Office 365 for email, file storage and collaboration tools, again the project made use of NCSC guidance to secure this part of the solution.
A transformational user experience
Using the new authentication system, login times were dramatically reduced and the user experience transformed.
Under the new system, users enter a BitLocker PIN and are then biometrically authenticated using a fingerprint ID. Access to all relevant applications and systems is provided seamlessly behind the scenes.
“Many of our users have had frustrating experiences with the current network, particularly as they know there are newer and more flexible systems out there. I have been pleased to see the immediate positive response to a straightforward simple login process and how they are much more productive. In my role as SIRO I am pleased with the levels of security provided by the new hardware and software.”
Alan Crouch, Head of Digital, JAC
This is just the beginning
The pilot has provided the JAC with a solid proof of concept and indication of the resources needed to roll this out to more of our staff.
We’d like to carry out further work on single sign-on to our Drupal business application, which was proven to be successful in a test environment. We also want to explore more opportunities using Office 365 and SharePoint.
Longer term we hope the VPN could be replaced with Microsoft DirectAccess connectivity from the end user device.
Find out more