Businesses today face a constant struggle to balance robust information security while facilitating user productivity in hybrid IT infrastructures. Single sign-on provides a compelling way to overcome this struggle when it comes to securely authenticating users logging in to multiple business applications and services across on-premise, mobile, and cloud. Read on to find out exactly how single sign-on works, the problems it solves, and some security considerations.
Password Fatigue
The tricky balancing act between user productivity and securing your environment against cyberattacks becomes most evident when considering how users typically log in to the apps and services they need to perform their jobs. Most modern enterprise departments use 40 to 60 applications, and individual users often need access to at least 10-20 of them. Digital transformation initiatives are behind this rise in the number of apps that business users typically work with.
In encouraging staff to become more security conscious, businesses often communicate the importance to their employees of creating unique passwords for each service and application they log in to. In fact, some apps even mandate certain levels of password length and complexity. But when you have so many passwords to remember, the very bad habits you want to eliminate, such as reusing passwords in different apps, creating weak passwords, or writing passwords down, become more widespread.
The stress and resistance felt when having to create, remember, and manage all these passwords is known as password fatigue. Aside from leading to bad habits, password fatigue also reduces employee productivity, in the following ways:
- When people feel stressed, it’s harder to get work done.
- The time burden spent remembering and typing in different passwords also directly impacts productivity for everyday business users.
- IT helpdesks also suffer because they get inundated with password reset tickets and end up spending all day dealing with them rather than other important tasks.
So, is there a better way to do things?
What is Single Sign-On and How Does It Work?
Single sign-on (SSO) is an authentication method that enables users to log in once and gain access to multiple applications and services using a single set of credentials. The technology works in the following way:
- When users attempt to access an application, their access request gets sent to a centralized authentication server managed by an SSO provider instead of sending the request directly to the backend of the application for authentication.
- The SSO solution checks for an authentication token that leverages a concept known as federated identity, which enables a centralized authentication server to share user identity attributes among different applications.
- If there is a valid authentication token, this means the user has already been verified, so the request is approved and users get access to the application without needing to enter a password or other credentials.
- If there is no valid authentication token, the SSO solution requests their login credentials one time and then generates a digitally signed authentication token that remains valid for accessing other applications.
- SSO token lifetimes have multiple configuration options; you can typically set a default time for expiration or set tokens to expire after a period of user inactivity.
The exchange of tokens in SSO typically uses one of several competing standards-based protocols, including Kerberos, OpenID, or SAML. These protocols ensure the SSO solution can securely communicate identity data, such as whether the user has been authenticated and what permissions they have, with different applications. The tokens that store identity data are kind of like temporary identification cards.
For legacy web and non-web applications that cannot be enhanced to support the federated sso standards, another approach commonly known as Enterprise SSO (ESSO) could be used. ESSO approach leverages on a password wallet concept and works by filling in the password to the application on behalf of the user.
Ideally, a modern SSO solution should function across on-premise applications, cloud-hosted SaaS apps, legacy and mobile apps.
SSO Benefits
The main end-user benefits of SSO are improved productivity and reduced password fatigue. One study at an educational institution found that using SSO saved 2,500 hours each month. These time savings are immediately evident for standard business users who only need to worry about entering credentials maybe one or two times each day.
For IT admin teams, SSO also simplifies identity management. Using a single source of truth in the form of an SSO solution, administrators have the ability to manage identities, set security requirements, and authorize permissions for many different apps and services from a centralized location.
SSO Considerations
The security of your SSO implementation still depends on your policies and processes for identity management and setting passwords. If you allow people to create weak, easily guessable passwords, you’re likely to see compromised accounts. Additionally, giving users excessive access privileges beyond what they need to do their jobs is a recipe for unwanted access to sensitive assets or systems.
Also, given the issue of app sprawl and users registering for shadow IT services/apps, it’s imperative to have good visibility into all regularly used applications. Vetting apps before integrating them into SSO is important. If a regularly used and safe app is not integrated into the SSO workflow, you risk users losing confidence in your solution and becoming frustrated again at having to repeatedly log in.
Is SSO Secure?
There’s a compelling argument that by virtue of only having to create and remember one password to log in to many applications, SSO improves password strength. And with stronger passwords, malicious actors have a harder time breaking in.
But does using strong passwords necessarily translate into better security? After all, threat actors can still compromise user passwords using social engineering techniques or purchasing lists of stolen credentials from the dark web.
Combining SSO with multifactor authentication (MFA) makes its implementation much more secure. If the SSO solution’s centralized server doesn’t detect a valid token, users need to log in with valid credentials. During this login process, using MFA requires users to provide at least two categories of evidence before granting access. As a result of malicious actors needing to breach and control two different categories of evidence, the single sign-on process significantly hardens against compromise.
Why You Need SSO
SSO is evidently an excellent solution for bringing balance back into the equation between security and user productivity when it comes to controlling access to business applications. Now that you have an overview of how SSO works, you need a flexible, universal solution that works equally well across legacy enterprise apps, mobile devices, external web services, and internal cloud-based applications. Otherwise, you’ll end up replacing the burden of managing identities across multiple apps with the burden of trying to integrate SSO across different components of your infrastructure.
i-Sprint’s AccessMatrix SSO concept unifies your single sign-on capabilities across cloud, mobile, and enterprise applications. AccessMatrix SSO gives you speedy deployment, easier management, and better security.
Talk to a specialist today about AccessMatrix SSO and how it benefits your business.