Chevron has had it with passwords

Chevron early next year plans to eliminate the last of 50,000 network passwords, finalizing a transition to a smart card-based system designed to dramatically increase security and privacy while cutting costs.

In January, users in 200 countries and in 1,800 offices worldwide will have no other means to log on to the network and gain access to resources other than their Chevron SmartBadge, a plastic card with three chips that support building and network access, desktop logon and single sign-on to nearly 3,000 applications.

The password's death is a milestone four years in the making. During that time, the oil giant has been rolling out SmartBadge and the infrastructure to support two-factor authentication on a single card as its corporate identity, privacy and security standard.

Two-factor authentication is based on something you have and something you know. In Chevron's case that is the SmartBadge and a PIN.

Other companies use badges that combine building and network access, but Chevron is the pioneer for also including desktop logon, certificates for digital signatures and encryption, and single sign-on.

"This project has been going on for a long time, mainly because we decided not to go with a big-bang approach," says Edmund Yee, an emerging technology team leader in Chevron's Information Technology Company.

"We wanted to bring in pieces in small, achievable chunks and then keep on expanding," he says.

Yee and Schlumberger, the project's systems integrator, have no doubt they took the right approach, which included a yearlong effort to define governance and policy standards.

"Getting into systems securely and being able to do things like digital signatures, encrypting drives and data encryption - that is where this starts to touch business processes and where you get into formally auditing events and establishing non-repudiation," says Greg Salyards, practice manager at Schlumberger.

Salyards says the SmartBadge lets Chevron transform critical corporate decisions that were once just paper trails into digital records. Another result has been a 70% reduction in the nearly 4,000 password resets Chevron was performing each month.

In addition, Chevron, which is considered critical infrastructure under the federal government's Department of Homeland Security, is out in front of the requirements outlined in February's Homeland Security Presidential Directive.

Salyards says the cost - not including services - was $50 per user for the cards, readers and software. Chevron won't disclose what it spent on SmartBadge or what its overall cost savings have been, but Yee says the ROI was immediate.

Getting started

In 2000, Yee says, Chevron began to refresh servers, desktops and network security. The project heated up nearly a year later, after a merger with Texaco that created a need for new employee badges, and the Sept. 11 terrorist attacks. It was then that Chevron's board made an ongoing study of two-factor authentication part of a mandate around improvements to security.