The system we use to authenticate is the same one that members use for logging on to everything else. We have a single sign-on process, which is powered by the Microsoft Azure Active Directory service. We didn't try to build something of our own; we wanted to go off the back of the industry leader for this kind of thing. That's the most logical thing for us to do. It's the same thing that is used by members now. Email is the most obvious one, as they are all familiar with it.
The security we get is being run by Microsoft. We don't run and maintain anything ourselves. It's a well-known industry standard provider.
Members are given passwords, and the secondary level is a kind of multifactor authentication, much like you might get with online banking. You get a code that lasts for 30 seconds. We can send the code out by a text or through an app to your mobile device that tells you your code is “123456”. That lasts for 10 more seconds, and when time runs out it won't work anymore and you have to use a different one.
When members first log in to the system, they will be asked to type in their username and password. Then they will be asked them for their multifactor code. They have to type all that in to access the system. Then we keep them logged in for a period of time before they will be asked them again. If they don't do anything for about an hour, it will make them then re-enter that data. If they left the machine and wandered away and came back without pressing any buttons, they would have to enter it again before they could carry on.