Solving Password Fatigue with an SSO Solution Makes Security Sense
Solving Password Fatigue with an SSO Solution Makes Security Sense –
There are very few people on this planet who like passwords, which is a problem as there are just so many of them. This has led to what some call password fatigue. Defined by the Collins Dictionary as “the feeling induced by trying to remember too many passwords,” not only is it a very real issue, it’s one that can impact negatively on your enterprise security posture. Users, when faced with too many passwords will do whatever possible to keep sane.
Which include reusing passwords across multiple accounts and employing construction tricks to aid the memory while passing whatever policy restrictions are in place. Both of which play directly into the hands of potential attackers. What if there was a better way, a method of access control that prevented password fatigue whilst meeting your business security needs as well as boosting productivity at the same time? There is, and it’s called single sign-on.
So, what is SSO?
Single sign-on (SSO) is, when stripped back to a bare-bones definition, an authentication technology that enables users to access multiple applications, platforms and services using a single credential set. It’s probably apposite at this point to clarify that an SSO solution is not the same thing as a password manager, despite the latter requiring a single master password to enable access across multiple apps and services.
The key difference is one of trust: SSO is all about trust whereas a password manager is, rather obviously, password-centric. Whereas a password manager protects multiple passwords (and for most consumers, this increases their security posture), SSO moves the focus to identity and access management (IAM) through trust and robust authentication which are both vital in the business setting. So, how does SSO actually achieve this?
Tokens and Trust –
Technically speaking, SSO relies upon a process of identity federation by way of any number of different protocols such as Open Authorization (OAuth) and Security Assertion Markup Language (SAML). Regardless of the standards implemented, the core process is the same and involves a service provider (any application or platform being accessed) and an identity provider (which requires a user to prove they are who they say).
The SSO service creates a token for authentication which is stored by the identity provider. It is these tokens, this digitally signed structured data, that enable trust between the two. While these tokens enable the service to confirm the person is who they pertain to be they don’t contain a password or biometric data so don’t create a viable attack surface. Just as critically, the service provider can then authenticate access for all that users allowed applications without any requirement for further credential input.
Three essential SSO keywords: security, productivity, cost –
A properly architected and implemented SSO solution will serve to shrink the enterprise attack surface. How so? For one thing, it reduces poor password hygiene and all the risk that brings to the threat party. Furthermore, it makes relinquishing access privileges for former employees a cinch and that’s hugely significant as research suggests as many as one in four remember the access credentials for former work accounts. SSO can also increase visibility into which users are accessing what services and when. Lacking this visibility is a surefire way to expand the attack surface. The key here is the proper implementation, of course, as is made clear in the conclusion to this article.
Productivity should increase by reducing the time taken not only to enter the correct credentials to access multiple applications and services, but also the time taken by IT support for those that are forgotten or entered incorrectly and trigger a reset requirement. Anything that increases user productivity while at the same time reducing the help desk burden achieves another holy grail: it reduces overall costs to the business.
The Security Panacea Misstep –
So, is an SSO solution a secure user access panacea? Not really. It’s part of the process towards managing user access securely. While implementing SSO makes a lot of security sense, a poorly designed SSO solution can present a single point of failure and weaken enterprise security as a result. If an attacker compromises one user’s credentials in such a scenario, they compromise access to every application that can be accessed just as easily as if that user had been reusing passwords elsewhere.
As Ambler Jackson, a consulting attorney with risk and compliance expertise, writes, SSO “must be combined with risk-based access control for tracking and controlling user behavior within an organization’s systems to enable conditional access and step up security using multi-factor authentication (MFA).” Eric Avigdor from Thales Identity-centric zero-trust, agrees that the idea of “a static login for all user activities is not enough to address the evolving risk landscape where businesses operate.” It is, however, Avigdor emphasizes, “a crucial element of access management.”
Author Bio –
Davey is a freelance technology journalist and a senior contributor to Forbes, as well as being contributing editor at PC Pro magazine. He was named ‘Cyber Writer’ of the year in the 2020 Security Serious Unsung Heroes awards. He also contributes to InfoSecurity Magazine, SC Magazine UK, The Observer/Guardian, and Digital Health Intelligence.