Reap the Promise of One and Done Authentication With SSO

Every day, the average business employee inputs credentials to authenticate identity and access apps and sites several times — using one of the 8–12 passwords the average person has, according to the “IBM Future of Identity Report.” If you get your password wrong too many times, you’re locked out and you call the IT help center to reset it, again. Which leads you, the help center and the system administrator all to think there must be a better way. Fortunately, there is single sign-on (SSO).

What is SSO? It’s a user authentication technology that requires only one set of credentials to provide access to everything you need. Once you’re authenticated on a centralized platform in an enterprise, for example, you can use a range of applications — from on-premises programs to cloud resources to software-as-a-service (SaaS) apps such as Salesforce and Office 365 — without logging in and out again.

Eliminate the Problems With Passwords

A typical employee may start with only a few credentials, but after a few weeks or months, that number will quickly increase. Furthermore, according to the “Future of Identity Report,” only 42 percent of millennials use complex passwords (versus 49 percent of people over the age of 55) and 41 percent reuse the same password multiple times (versus 31 percent). Administrators may be sympathetic to password fatigue and interrupted user experiences, but security is an even greater concern. Verizon’s “2018 Data Breach Investigations Report” listed stolen credentials as one of the leading causes of data breaches.

What users are accessing with those passwords is also critical; another key factor behind many breaches is the abuse of access privileges. Many enterprises fail to implement access management solutions that ensure employees have only the privileges they need to do their jobs. This puts the organization at greater risk given that insider threats are at the root of 60 percent of cyberattacks.

If you’re an administrator, you oversee databases that hold passwords, permissions for access to applications and resources, help center troubleshooting and support to change credentials, and training to keep users from falling for phishing scams or other hacks that could result in a breach. That can be a lot, especially for larger companies with hundreds or thousands of employees.

The solution requires taking responsibility for security away from users by eliminating the need to have multiple passwords.

Implement SSO for Seamless User Experiences

Single sign-on changes how authentication and identity and access management work. Normally, when you want to sign up for an application, the server first verifies whether you already have an account. If not, the server securely stores your email and encrypted password in a database. The server then creates a session and sends a token confirming your identity. Your browser stores the token in a cookie that verifies your identity when you’re logged in. Next time you want to log in, the server compares your password to what’s in the database and you’re in or out.

With federated SSO, however, you get another option. You’ve probably been asked if you want to sign up for an app or site using Facebook or Google, for example. Various standards, including Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID Connect (OIDC), let these web giants give third-party apps and sites access to your information.

You choose your provider — say, Google — and the third party verifies that you’re already logged in to Google. If not, you log in and then choose what information you’re willing to share with the third party. Google verifies that both you and the third party are legitimate, then authenticates you based on its own password database and issues a token back to the site. The third-party site can now associate you with the user data you’re willing to share — such as preferences, previous sales and so on — and you can move seamlessly between applications for which you have access without logging in each time.

A Win-Win for Users and Administrators

It’s easy to see why users would love SSO, whether they’re at home or at work. In the enterprise, they can use one set of credentials to access all their apps instead of remembering, looking up and frequently resetting multiple passwords. New users can sign up for accounts easily and securely, using a provider they already trust.

Administrators, on the other hand, can securely provide access to resources and applications, whether they’re on premises, in the cloud or in a hybrid cloud. But to reduce risk, it’s critical to focus on security as well as convenience.

Ensure the Upside Isn’t a Downside

Forrester emphasizes that authentication is mission-critical infrastructure in “Now Tech: Authentication Management Solutions, Q3 2018.” If an SSO provider experiences a security breach or an authenticator goes down, users can’t get online. And if only one set of credentials is needed to access a multitude of apps and resources, the security around those credentials must be ironclad. After single sign-on implementation, compromised credentials give a threat actor entry not just to one resource, but all of them.

More secure authentication should include access without passwords, such as scanning a code with a user’s phone; frictionless biometrics, such as fingerprint, voice or face recognition; and geolocation. For example, IBM Cloud Identity provides seamless and secure authentication for native, web, mobile or cloud applications via biometrics, FIDO2, Universal Second Factor (U2F), FaceID, Touch ID, email/SMS one-time passwords or soft tokens. The solution can also reduce reliance on passwords by providing multifactor authentication (MFA) to any target system, including virtual private network (VPNs), mainframes, Linux or desktop.

An ideal solution will also incorporate risk-based authentication. For example, an employee logging in from her desktop at 2 p.m. on a workday may gain access with just a single password, but a user across the globe logging in on a new device at midnight may require MFA.

Evolving With Your Ecosystem

Perhaps the best feature of SSO is its scalability; you can future-proof access management, as this case study on POST Luxembourg showed. As your enterprise changes and grows, you can continue to provide a convenient sign-on experience to users, customers and partners and a centralized solution that gives them secure and integrated access to resources via almost any device, anytime and anywhere.

IT administrators, line-of-business managers and employees all benefit from an identity and access management solution like single sign-on. It allows registered users to access applications with one set of credentials, provides a centralized place for admins to manage all protected applications and configure access policy settings, and, best of all, the cloud has made single sign-on implementation more affordable and less time-intensive than ever.

Learn how an IAM solution can benefit you

Contributor'photo
Diana Kightlinger is an experienced journalist, copywriter and blogger for science, technology and medical...