Single sign-in (SSO) has some benefits — and some attendant risks. Here are a couple of easy steps to making your company’s SSO system more secure.
Single sign-on (SSO) is a method of access control where users are able to login once and gain access to all systems they have authorization to use without any additional login prompts. Instead of employees having to remember multiple passwords for the various systems they login to and services they use, they can get into everything they need with a single password. Single sign-on sounds great, but there are ample security risks that come with the practice. Organizations determined to simplify their authentication processes through single sign-on must figure out how to balance the convenience of that authentication method with the risks that accompany it.
Single sign-on does have many benefits. It makes it easier for users to remember their username and password combinations since there can be far fewer of them to learn. It also reduces the time users spend entering passwords, since they can have access to all their resources unlocked after a single login. Single sign-on can also reduce the time Help Desk employees spend dealing with password resets and helping users who get locked out their accounts. A final benefit is that the centralized authentication service makes it easy for IT to control the security profiles of individual users.
However, there are also risks involved. Just as it is a bad practice to use the same password on all your various web services, it is also dangerous to let one username/password combination unlock all the resources an individual employee has access to. Having separate passwords for various services limits the amount of data that can be breached if a password is stolen. Instead, if a hacker is able to obtain an employee’s password, he will be able to access everything that employee can. It also means that if an employee forgets his password that he will not be able to reach any work resources, which can mean lost productivity until he is able to contact a Help Desk employee and regain access.
Using multiple passwords also lets security operations utilize various levels of security for different sorts of authentication and password resets. For example, logging into an email account used for password resets of other services should be protected with multi-factor authentication, while other less sensitive accounts could be protected by only a username and password. Also, password complexity requirements can vary by the degree of security required for each system. If employees feel they are having trouble remembering the password to all their different accounts, they can try a password rule that involves having a primary password append or is prepended with something that reminds them about the service they are logging into, such as the first three letters of the service’s name.
Organizations that do decide to use a single sign-on system should be wary of the security risks and take steps to minimize them. This includes requiring multi-factor authentication and certain password requirements. Those two steps will reduce the risk of unauthorized individuals from gaining access to the system. However, organizations that use single sign-on should still have an automated password reset program in place to reduce the risks of social engineering schemes used to get passwords from Help Desk staff.
If your organization has decided to attempt a single sign-on system and needs a multi-factor authentication solution to make the system more secure, or if you’ve decided to continue with multiple user accounts and passwords for each employee and need an automated system for dealing with password resets and access control, then sign up for a free trial of ReACT. ReACT is an application that is ideal for automating the password reset and synchronization process across all the applications throughout your enterprise — and with its multi-factor authentication capabilities, you’ll be helping to secure your SSO system.
