Somerford Associates Limited

OneSpan - Multi Factor Authentication

OneSpan provide multi-factor authentication (MFA), digital signature solutions, secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. It can run on your preferred cloud instance or onsite depending on security requirements.


  • OneSpan IDENTIKEY Authentication Server (IAS) delivers secure, consistent centralized access
  • Secure Sockets Layer Virtual Private Network (SSL VPNs) firewalls
  • Secure access to web-based portals & Microsoft Office 365
  • Citrix solutions, Virtual Desktop Infrastructure (VDI) solutions and SaaS applications
  • Delivers extensive support to all OneSpan authentication technologies
  • OneSpan IAS architecture scales to hundreds of thousands of users
  • Runs on multiple platforms including provisioning support for large deployments
  • Delivers redundancy, automatic replication, and server failover
  • Add additional users without any changes to existing IT infrastructure


  • Delivers complete authentication lifecycle management via a single integrated system
  • Provides secure and seamless access to corporate resources and applications
  • Simplifies authentication management for administrators and users alike
  • Delivers the tools for simple and centralized installation and management
  • Dashboard enables fast and insightful support for users
  • Provides all the tools administrators need to facilitate smooth rollout
  • Provides built-in automated deployment functionality & migration
  • Reduces support and help desk requirements
  • Does not require dedicated servers or appliances
  • Existing databases do not need to be replaced


£158 a licence a year

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

5 3 6 8 2 0 8 6 8 9 0 5 3 6 4


Somerford Associates Limited Penny Harrison
Telephone: +44 1242 388168

Service scope

Software add-on or extension
Cloud deployment model
Hybrid cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
The Standard Support Plan provides technical assistance Monday through Friday during standard business hours, except for holidays. Technical Support is organized per region – OneSpan distinguishes the following regions. OneSpan guarantees an email or telephone response to the customer’s designated contacts within 4 business hours.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all.

If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further.

Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour.

Somerford resolve over 90% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this the process. Wherever possible, we will manage your service desk case with our Partners.

Our service desk is available between 9am and 5pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.

All our customers have a Technical Account Manager.
Support available to third parties

Onboarding and offboarding

Getting started
Hybrid cloud service will be set up by Somerford Associates and Vasco and we can provide both on-site and on-line training and user documentation is included when purchased.

Server Administrator Guide, Server Installation Guide and Server Product Guide are included.
Service documentation
Documentation formats
End-of-contract data extraction
OneSpan does not have access to the customers Data. The customer holds the data.
End-of-contract process
As long as they have an open contract, paid for the licence and have an active maintenance contract, customers have the rights to download upgrades and patches. If customers need help in installing the patches professional services can be purchased for this installation. If a customer reaches the end of their contract, all licenses will expire, appliances will be deleted (virtual) or destroyed (physical).

Using the service

Web browser interface
Application to install
Compatible operating systems
  • Android
  • IOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices
Differences between the mobile and desktop service
Not applicable
Service interface
What users can and can't do using the API
SOAP and SEAL. Available with over 125 different example command lines that can be used.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Self service portal and customised mobile applications.

Users can customise from simple logo insertion up to the length of the one time passwords and signatures.

Vasco can assist with customisation or customers can do themselves.


Independence of resources
Dedicated servers for every specific government organisation


Service usage metrics
Metrics types
Four types of report:-
1) List analysis lists all items that match the criteria of the report
2) Detail analysis shows detail of the events specified in the report definition for example a detailed list of failed authentications for users
3) Distribution Analysis shows account of events and objects for example the number of failed authentications for a domain
4) Trend analysis shows a trend over a period of time for the object specified in the reports definition
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra support
Organisation whose services are being resold

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
Protecting data at rest
Other data at rest protection approach
Not applicable
Data sanitisation process
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Via the admin web interface
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Not applicable
Approach to resilience
Available on request
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Can be customized in the management interface. FE sysadmin vs user. And for the support channels on VCE or customers with a dedicated support contract get access to the system.
Access restriction testing frequency
Less than once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Is held in-house
Information security policies and processes
Full documentation can be available on request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The customer is in complete control of what is changed in the system.
The who and what can be traced in a report.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Patches are downloaded via the support portal and potential threats or need for patches are communicated via e-mail.
Protective monitoring type
Protective monitoring approach
Incident management type
Supplier-defined controls
Incident management approach
Users can report an incident via support lines, these will be raised with development and engineering. If an in-house breach has taken place, the client will follow their incident management processes.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£158 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
Full version to test
installation support via reseller
time limit of 45 days, that can be extended twice.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.