Multi-Factor Authentication: SMS and Voice Calling

Descriptions

This is to alert interested parties that HM Revenue and Customs is going out to tender to meet its needs for the provision of SMS and Voice Calling as part of a Multi-Factor Authentication process and Customer Service Campaigns. HMRC send out access codes to their customers via SMS or Voice to either landlines or mobiles, anywhere in the world. The Authority intends to award a single supplier contract for the provision of a SMS and Voice Calls service as part of a Multi-Factor Authentication Process. Currently approximately 80 million SMS a year and 2 million voice calls are issued per annum on behalf of HMRC. The service consists of two elements - Multi-Factor Authentication and Customer Service Campaigns. 1) The current scope for the SMS and Voice Calling as part of the Multi-Factor Authentication service is limited to the following: a) To send a 6 digit access code (that expires after 15 minutes) to a customer b) The code can be sent to a landline or mobile via SMS or Voice c) The user could be in the UK or abroad (anywhere in the world) d) The code is sent using a short code associated with HMRC e) To provide a helpdesk function to investigate issues customers have with receiving the access code f) To provide development/changes at nil cost. 2) The SMS service as part of Customer Service Campaigns include all above Multi-Factor Authentication requirements with the below additional requirements: a) Ability to have 2-way SMS if needed, where customers can reply to SMS, and ability to view replies and MI. b) Search Facility, to show all SMS a customer has received. c) Ability to see if SMS has been opened/read. d) A dead number check. The Supplier must check if a number is live or dead before SMS is sent. This must be at a significantly lower cost than the sending of an SMS. If the check fails, this must not prevent the SMS from being sent. Dead numbers will then need to be screened against for future campaigns and removed as necessary. HMRC requires potential providers to comply with the relevant essential requirements below: a.) ISO-27001 Certification as accredited by UKAS or a comparable body, b.) Cyber Essentials Certification c.) Cyber Essentials Plus Certification d.) Pen Testing by CREST approved third party auditor every 3 months for both internal and external system IP's. Tested to OWASP latest guidelines. e.) Dedicated server architecture either third party or owned, must be UKAS accredited to ISO-27001, ISO14001, ISO-9001, ISO18001 f.) Cyber Risk Insurance. g.) Security Patch Management System. Please refer to the additional information section, and relevant documents attached to obtain more information on registering interest for this tender.