Somerford Associates Limited

OneSpan - Multi Factor Authentication

OneSpan provide multi-factor authentication, digital signature solutions, secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. It can run on your preferred cloud instance or onsite depending on security requirements.


  • OneSpan IAS delivers secure, consistent centralized access to corporate resources
  • Secure access to SSL VPNs, firewalls and cloud-based applications
  • Secure access to web-based portals & Microsoft Office 365
  • Citrix solutions, VDI solutions, SaaS applications, bespoke applications
  • Delivers extensive support to all VASCO authentication technologies
  • OneSpan IAS architecture scales to hundreds of thousands of users
  • Runs on multiple platforms including provisioning support for large deployments
  • Delivers redundancy, automatic replication, and server failover
  • Add additional users without any changes to existing IT infrastructure


  • Delivers complete authentication lifecycle management via a single integrated system
  • Provides secure and seamless access to corporate resources and applications
  • Simplifies authentication management for administrators and users alike
  • Delivers the tools for simple and centralized installation and management
  • Dashboard enables fast and insightful support for users
  • Provides all the tools administrators need to facilitate smooth rollout
  • Provides built-in automated deployment functionality & migration
  • Reduces support and help desk requirements
  • Does not require dedicated servers or appliances
  • Existing databases do not need to be replaced


£158 per licence per year

  • Free trial available

Service documents

G-Cloud 10


Somerford Associates Limited

Penny Harrison

+44 1793 698 047

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints None
System requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 1 HR First Response SLA Mon-Fri 9am-5:30pm excl bank holidays
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We support P1-P4 incidents remotely or on site at a further cost (varies depending on the time required to resolve an issue.)
* A technical account manager is supplied FOC to any business or organisation acquiring Somerford's software or services.
* You have access to a cloud support engineer Mon-Fri 9am-5:30pm (not dedicated.)
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Hybrid cloud service will be set up by Somerford Associates and Vasco and we can provide both on-site and on-line training and user documentation is included when purchased.

Server Administrator Guide, Server Installation Guide and Server Product Guide are included.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Vasco does not have access to the customers Data. The customer holds the data.
End-of-contract process As long as they have an open contract, paid for the licence and have an active maintenance contract, customers have the rights to download upgrades and patches. If customers need help in installing the patches professional services can be purchased for this installation. If a customer reaches the end of their contract, all licenses will expire, appliances will be deleted (virtual) or destroyed (physical).

Using the service

Using the service
Web browser interface No
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Not applicable
Accessibility standards WCAG 2.0 A
Accessibility testing None
What users can and can't do using the API SOAP and SEAL. Available with over 125 different example command lines that can be used.
API documentation Yes
API documentation formats Other
API sandbox or test environment No
Customisation available Yes
Description of customisation Self service portal and customised mobile applications.

Users can customise from simple logo insertion up to the length of the one time passwords and signatures.

Vasco can assist with customisation or customers can do themselves.


Independence of resources Dedicated servers for every specific government organisation


Service usage metrics Yes
Metrics types Four types of report:-
1) List analysis lists all items that match the criteria of the report
2) Detail analysis shows detail of the events specified in the report definition for example a detailed list of failed authentications for users
3) Distribution Analysis shows account of events and objects for example the number of failed authentications for a domain
4) Trend analysis shows a trend over a period of time for the object specified in the reports definition
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra support
Organisation whose services are being resold Vasco

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach In-house
Protecting data at rest Other
Other data at rest protection approach Not applicable
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Via the admin web interface
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Not applicable
Approach to resilience Available on request
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Can be customized in the management interface. FE sysadmin vs user. And for the support channels on VCE or customers with a dedicated support contract get access to the system.
Access restriction testing frequency Less than once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Is held in-house
Information security policies and processes Full documentation can be available on request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The customer is in complete control of what is changed in the system.
The who and what can be traced in a report.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Patches are downloaded via the support portal and potential threats or need for patches are communicated via e-mail.
Protective monitoring type Undisclosed
Protective monitoring approach Undisclosed.
Incident management type Supplier-defined controls
Incident management approach Users can report an incident via support lines, these will be raised with development and engineering. If an in-house breach has taken place, the client will follow their incident management processes.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • New NHS Network (N3)
  • Joint Academic Network (JANET)
  • Scottish Wide Area Network (SWAN)
  • Other


Price £158 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Full version to test
installation support via reseller
time limit of 45 days, that can be extended twice.


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑