Arcot, for us, is really about multi-factor authentication. We use it on our client's side and, I think, probably the two biggest features of that are from the end-user experience. So, it is basically a token that is stored on the device which represents something you have, but the user actually logs in effectively with a password. They're not really aware that they've got a second factor. So, that's quite nice.
The second distinctive feature is that it has protection against brute force attacks, which means even if you got a hold of the token and you tried to guess passwords or try a brute force circuit, it will always return a value of which you cannot tell whether it is successful at all.
Improvements to My Organization
The main benefit is really around the fact that there is a soft token. The cost of having to distribute a hard token isn't there. Some of our colleagues in other business divisions are issuing cards or some other second-factor device. This gets quite expensive, so being able to issue a soft token, but still having fairly strong security, is a big factor for us.
Room for Improvement
Arcot itself is based on a browser technology. This means that the office ID is effectively stored as a cookie in the browser. One of the things we have seen from our customers is that certain policies dictate that browser caches are cleared, which means cookies get deleted. This then means that some classes of users have to continuously download the office ID and go through the long process. So we would like to see that addressed, where the office ID becomes a bit more persistent or presented in a better way.
I don't really get involved on the operational side of things; I'm an architect. I would hear of issues. I don't think we have many issues operationally with Arcot. I think it's a very mature product, so I don't think there's issues there.
As a technology, it is more of an end-user one as the Arcot ID goes onto the end-user platform. In terms of scalability, there's really not much to say about it. It goes against the backend authentication services. It's built to scale to very large capacity, so we don't have any issues with scalability from Arcot and certainly not on the backend services.
Customer Service and Technical Support
I can't really comment. I don't really engage with them, but I would imagine support is pretty good. Otherwise, we would have issues because if these things can't be fixed or cannot reach support, these are critical banking infrastructure which supports critical banking applications. So if the support isn't there, we would have gotten rid of it a long time ago.
I think one thing I would say would be to make sure you test all of your use cases against Arcot. Make sure you understand the enrollment process, the de-enrollment process, understand how to authenticate use cases, and ensure that it covers everything that you need.