Single Sign-On (SSO) - Everything You Need to Know
In today’s business world workers utilize numerous web-based systems to get their jobs done. These may be accounting systems, payroll, marketing and IT related management systems and many, many others.
What makes this challenging for workers is that they have to remember the unique logins and passwords to all of these disparate systems which can truly turn into a nightmare for the employee and the IT personnel who have to reset passwords on almost a daily basis for workers who have forgotten their passwords to these platforms.
As a result many workers resort to what is the bane of many a Chief Information Security Officer…the worker writes down their passwords and user IDs and stores them at their desk or in a spreadsheet where many times they can be easily found by another employee who has nefarious intent, or an attacker from outside that is looking to gain access to sensitive systems and data.
Yes, there are other means to capture user ID’s and passwords such as password “safes” that store the data in an encrypted fashion, but these become cumbersome the more user ID’s and passwords that are stored in them. As a result, system users often resort to going back to a less secure means of tracking their user ID’s and passwords, placing their organization and the data contained within the myriad of systems at risk.
So, if writing down user ID’s and passwords is a bad idea and password safes aren’t the panacea that the company is looking for, what’s the answer?
Enter Single Sign-On or SSO. This may be the answer that so many are looking for to aid them in their quest to secure the user ID’s and passwords of their employees, while at the same ti9me providing a secure way for employees to access systems without having to write down their passwords or put them in some kind of password safe.
What Is Single Sign-On (SSO)?
You may be wondering what is Single Sign-On, or SSO as it is more commonly referred to. Single sign-on is a mechanism where a computer user can log on to one portal that then provides them access to multiple other platforms without having to authenticate again to those systems. By allowing this type of access companies can feel more at ease that passwords to critical systems are not being stored in an insecure fashion.
The basic scenario works like this. The user only has to remember one password, so it’s typically much easier for them to construct a strong password using upper and lower case alphabet, special characters and numbers that they can easily remember and not have to write down or store in a password safe.
What Happens After A User Authenticates to the SSO Platform?
Once the user authenticates to the SSO platform they are typically presented to with a portal that has a listing or an icon set of all of the different applications that are tied into the SSO platform and to which they can authenticate to via the SSO portal.
Once the user selects a system from the listing or icon set, the credentials to authenticate are passed from the SSO portal to the second system and the user is then allowed access. It’s basically a single pane of glass into all, if not most, of the systems that the user needs access to on a daily basis.
So, What is the Downside?
While SSO technologies make things easy for the user, they do present some challenges for the IT teams and/or the Information Security Officer. Why? Well, for a couple of reasons.
First you are entrusting the authentication to your critical or sensitive systems to a third party, that is typically cloud-based in nature, and as a result you are dependent upon them to have the proper security controls in place to protect your authentication data.
Secondly, you are trusting that the users construct and use strong passwords for the SSO platform. Weak passwords on the SSO platform place all of your linked applications at risk, not just the SSO platform itself.
How Do You Protect Yourself When Using SSO?
If you are planning on joining the thousands of companies that are using SSO technologies, there are some things that you can do to protect yourself, and your applications, from attack either by an attacker or by danger from employees who are not following proper strong password guidelines.
Train Your Users
Unfortunately, one of the things that many organizations neglect to do is to properly train their users on what the SSO platform is, why the company has opted to use it, and what they can to do help ensure that all of the systems that are linked to it remain safe from attack or compromise.
Enforce Strong Passwords
Many SSO platforms allow administrators to set password strength requirements for users that will have access to, and be authenticating to, the SSO platform. Passwords should be at least 8 characters in length (or longer) and require that the user use upper and lower case alphabet, numbers, and special characters, including spaces. By setting this control within the system you ensure that your users can’t use weak dictionary word passwords and thereby place the crown jewels at risk.
Use Two-Factor Authentication Where Possible
Most of the modern SSO platforms now offer the user the ability to use two-factor authentication as an additional protection measure for the SSO platform. Two-factor authentication comes in many flavors like:
- A text message is sent to your mobile device that contains a string of numbers that the user must provide to the SSO platform within a certain period of time, along with their username and password, to enable them to authenticate to the SSO platform.
- A phone call to your cell phone or land line that requires you to enter certain digits on the keypad before allowing you to authenticate to the SSO platform.
- A mobile application on your phone or other mobile device that is sent an encrypted message asking you to allow or deny authentication to the SSO application.
- A hardware token the provides you with a number or set of characters that is used much like the text message option mentioned above. The set of numbers or characters is time sensitive and will only allow the user to use them for a certain time period, typically 60 seconds.
Do Your Due Diligence
This is a big one. If you are going to entrust so much sensitive information to the SSO platform, it behooves you to do your due diligence on the company that is providing the SSO platform. Formulate a questionnaire that asks critical questions like the following:
- Does the company have an information security program in place that is monitored and controlled either by a Chief Information Officer or a Chief Information Security Officer?
- Does the SSO company audit the source code of the application to ensure that there are no vulnerabilities that might place the SSO platform, and by extension the applications tied to it?
- Does the SSO company perform their own security testing of the platform and also engage third-parties to test the platform once it is in a production setting?
- How long has the SSO company been in business and is SSO their primary offering? If it’s not their primary offering use caution because you never know when they may decide to turn down the service and thereby leave your company in a lurch.
- And many, many other questions, too numerous to list out in this blog post.
Single Sign-on is a boon for IT administrators and information security personnel alike. It addresses one of the things that that provides them the most nightmares for most organizations…the insecurity of multiple passwords being written down or stored insecurely by users. Used properly it allows user to utilize strong passwords, in many cases two factor authentication, and still gain access to the systems they to perform their job functions in a safe and effective manner.