When the top five aerospace and defense companies — BAE Systems, Boeing, Lockheed Martin, Raytheon, Rolls-Royce — moved to to centralize B2B collaboration and supply chain management, they created Exostar, as a joint venture. As you can imagine, these organizations have common suppliers, all of whom would benefit from a single set of supply chain ordering and sourcing procurement tools with which to be competitive. By integrating Twilio’s Authy two-factor authentication solutions, Exostar now provides secure identity management for over 80,000 users conducting business with their clients.
In the early 2000s, when Exostar started doing centralized B2B e-commerce and supply chain management, the company’s focus was on building a hub-and-spoke model. As the threat landscape evolved rapidly along with expanding internet-use, their focus quickly shifted to securing applications first, and then providing the B2B collaboration utilities behind a secure wall. “Security is at the core of our business,” said Matthew Williams, product manager for credentialing solutions at Exostar. “The sensitive nature of the materials that we provide access to required that we evolve into a security-focused and security-centric company."
As the definitive identity provider for the extended supply chain in aerospace & defense, Exostar has since branched into the healthcare and life sciences industries, facing —and overcoming— new challenges in secure identity management. As suppliers look to conduct business with buyers in these industries, they are driven to unique Exostar portals to get access to view RFPs, place bids, download purchase orders, and upload invoices. “Once an Exostar customer logs in,” Williams explained, “we continue to observe their activity. Every server that is touched and every application layer that takes a user deeper into our systems requires additional authorizations, authentications, monitoring, and behavioral analytics. We always look at things from a security perspective. It's critical.”
Because of the need to exhibit strong authentication into their buyer portals, Exostar has always offered a multi-factor authentication paradigm. But the suppliers, researchers, and clinical technicians who are Exostar end-users — the people who are actually authenticating into these systems — have different credentialing needs.
Exostar’s original two-factor credentialing system was hardware-based. “In the beginning, we offered OTP (one-time passcode) credentials with key fobs,” recalled Williams. “It’s a technology that’s been around a long time,” he admitted, recalling the small, key-sized gadgets that display a new digital code every twenty to thirty seconds or when activated by the owner.
But hardware-based tokens had limitations, especially when there was a need to rapidly onboard suppliers, like when, for example, a procurement activity was taking place. The companies on the ‘buyer-side’ need supplier companies to bid competitively and submit quotes and proposals expediently. “Neither the buyers nor the supplier had the luxury to wait for us to ship out hardware tokens,” said Williams.
Because of this need-for-speed, Exostar started using SMS-based authentication provided by Twilio. Coupled with Twilio Programmable Voice, a text-to-speech OTP code spoken via telephone, this improved the buyer/supplier communication cycle tremendously.
“This worked for our aeronautics clients for a time,” said Williams, “but when we got into the healthcare space we needed something that gave us the best of both worlds: hardware-based but also immediate.”
Williams explained: “Prescribing drugs typically requires just one factor of authentication, but federal law requires that doctors prescribing controlled substances have two factors of credentialing.”
Since the U.S. Drug enforcement Agency (DEA) requires that the second factor of credentialing be committed via a form of hardware, healthcare professionals using the Exostar platform were required by law to have a hardware-based credential. However, the end-users (physicians doing the prescribing) were averse to carrying around a key fob that could be easily lost or misplaced.
Additionally, physicians wanted to be able to start using the Exostar systems right away and didn’t want to wait for a key fob to be delivered. If Exostar was going to succeed in the healthcare vertical, they had to delivering instantaneously while still being hardware-based.
The solution came from Twilio’s Authy app, in which the second-factor components can be stored in such a way that the device used to authenticate is actually considered a hardware credential, satisfying DEA requirements not met by SMS-based 2fa or voice OTP solutions. “Almost everybody has a smartphone in their pocket,” explained Williams. “And the doctors love it since they’re less likely to misplace a smartphone than a key fob.”
“Duo got our attention first,” admitted Williams, who also evaluated SafeNet’s eToken and MobilePASS+. “But none of the solutions we looked at were meeting all of our requirements.”
And, Williams admitted, their evaluation process was formidable: “Exostar is a conservative organization. We are risk-averse. In our field, we’re not considered to be cutting-edge technology leaders. We like to make sure technology is tried-and-true and trustworthy before we adopt.”
Then, shortly after Exostar launched an SMS-based 2FA, Authy was acquired by Twilio. “We had heard of Authy previously, and had some discussions with them,” explained Williams, “but the affiliation with Twilio helped accelerate and fine-tune those discussions into something bigger.”
“We chose Authy because Twilio made it very obvious they were willing to partner with us, which other services did not,” he added.
Furthermore, since the typical Exostar end-users are doctors or aerospace accountants who don’t have the time or background to learn a complex computer application, Exostar required a solution that was as user-friendly as possible. “We felt the Authy app interface was a little cleaner than competitor offerings,” said Williams. “And it does a really good job of guiding new users through the credentialing and registration process.”
“Plus,” he added, “we knew we’d eventually be interested in customizing the app and branding it ourselves. Twilio was, and is, open to that idea.”
There are a lot of multi-factor use cases that we think Twilio Authentication is going to solve for us. They’ve been a good partner, and we are excited about the technology.
Exostar acknowledges that the relationship with Twilio feels more like working with a partner than a vendor. “That's because of the willingness, the transparency, and the candour that we've experienced from the Twilio authentication team,” said Williams.
“Our auditors had to poke under the hood, which many vendors are reluctant to allow,” Williams recalled. “And when it came to documentation and training, it’s been an overwhelmingly positive experience.” Especially well received was Twilio’s on-site train-the-trainer sessions. Now, Exostar support supervisors are trained to train their support reps on how to support the app. It's a win-win-win.
All in, 80,000 users are now credentialing via Exostar (and subsequently through Twilio authentication solutions) and adoption of the Authy app is increasing as the company continues the roll out to more buyers and suppliers in the Healthcare and Life Services industries.
“First impressions are that Exostar users love the Authy app much more than the hardware OTP tokens they were previously required to use,” Williams reported.
As Exostar continues to roll out Twilio’s Authy app to aerospace and defense clients, it's expected that adoption will be swift as benefits of faster and more convenient credentialing become evident. Then the company will be looking at creating an Exostar-branded experience and deploying a customized push-notification version of the app built on Twilio’s Authentication SDK.