Some IT professionals label the process of synchronizing username and password across applications as single sign-on; meaning there is one username and password that is synchronized across applications. The truth is that this is a relic of the early years of distributed computing, before true SSO solutions arrived on the market. This old (and frankly, crude) solution to the problem of multiple usernames and passwords provides only some convenience but fails to deliver greater compliance, administration or security benefits. Fortunately, however, modern solutions have phased out this approach, and now offer far more integrated and seamless functionality with tighter security controls as well as a far better audit trail than mere password synchronization could ever provide.
Myth #2: In SSO environments, users still enter their passwords and/or know the actual credential that is passed onto the application
Somewhat related to Myth #1, this misconception assumes that SSO provides no automation but rather is just passes through whatever the user enters. Not true, as this approach would provide little convenience with almost no security or compliance benefits! The truth is that SSO solutions provide authentication automation for each application accessed. Once the users have logged into their SSO solution, it automates the process of providing each application with a set of credentials for the user and ensures that the granular access policies for each application are applied. The SSO solution can also provide a detailed audit trail and centralized control over application access in the event of a security incident.
Myth #3: SSO reduces security
This outdated belief stems from that assumption that SSO provides a single set of keys to the kingdom, and that once those keys are in the wrong hands, then all applications will be at risk. But the truth is that when used properly, SSO actually increases security by enabling more complex authentication policies, randomizing passwords, enabling re-authentication within an application as needed.
In addition, SSO solves one of the biggest, long-standing and most intractable problems of security: leaving password management in the end users’ hands. Everyone knows that having strong, unique and regularly-changed passwords (that are not all written down in one place) is important for maintaining basic security of end user accounts. However, whether we are talking about work or personal accounts, as we all know that these best practices are seldom followed by end users without some form of enforcement mechanism from IT. A SSO solution requires users to remember one, secure password for everything they access, rather than forcing them to have many similar passwords (which will often be much weaker.)
Myth #4: SSO is only for internal users, not public-facing services
This last misconception deals with much more recent trends in IT, and requires a more thorough response.
As we discussed earlier in this article, SSO allows you increased efficiency in management, security and the ability to grant users access to online services. As organizations start to deepen their interactions with their customers or users, then they want to provide online access to services which are more personalized. One approach is to use the concept of social identity. This approach uses existing online identities, such as those created with services like Facebook or LinkedIn, and allows the same identity to be used to access a business’ or government entity’s services.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.