For Enterprise level Single Sign-On, the “one password to compromise them all” problem is resolved by requiring Two-Factor Authentication for the initial access. By combining the password with a physical device (proximity card, mobile phone, one-time password token), biometrics (most commonly finger biometrics), or even with information about the user’s device or physical location, the system is much harder to compromise.
With the initial login properly secured, the advantages of SSO can include:
- Automatic credential storage for login and password changes
- Automatic login to applications – better user experience
- Stronger and/or automatic password changes
- Faster access to systems
- Self-service password look-up and management
- Single-click revocation of all application access for a user
- Reduction to zero or near-zero password reset calls
- Auditing of application access
Some disadvantages and considerations:
- Single point of failure – multiple redundancy levels are needed
- Limited to known or managed laptops/desktops – a remote access component should be considered
- Need to monitor application upgrades and changes – SSO templates/profiles should be easy to modify
- Different types of users have different workflows – the solution should have flexible security policies to meet these requirements
As mentioned, the security of the solution is only as strong as the product providing it. All credential data must be encrypted, transmitted and secured by proprietary means. Storage of that data should be in a completely secured environment, and not in common or widely known systems, such as Active Directory or a shared folder on the network.
When properly designed, implemented and secured with two-factor authentication, the benefits of SSO will outweigh the disadvantages. A good SSO solution will strengthen security, streamline application access, and vastly improve user experience.
Feel free to contact E-SPIN for the various technology solution that can facilitate your single sing-on(SSO) infrastructure availability and security monitoring.