Comparing the Different Types of Single Sign-On (SSO)
By Chris Webber, Centrify Corporation
As users struggle to manage dozens of personal and business login credentials, password management has become an increasingly hot -- and confusing -- topic. The wide range of options for managing passwords can make it tough for users to find the one that best fits their specific needs.
There are important differences between “single sign-on,” “centralized login” and “social login,” and understanding those technologies and their respective attributes (like security strength and convenience) is important in deciding when to use one over another. Here’s a tutorial and a scorecard to help keep it all straight.
1. Single sign-on
Security Rating: A Convenience Factor: A
What it is:
A business-focused solution where IT departments manage apps and provide users with limited access to them. One master password gets the user into the domain or the authentication system, which then acts as a master identity provider. That identity provider provides the authentication into all other apps and services, often leveraging security-focused technologies like SAML to grant access to individual apps. IT can also provide additional layers of protection including multi-factor authentication, based on contextual policy that includes network, location, device and more.
Pros: Drops the number of user passwords from dozens to one. Increases worker productivity with instant access to the resources they need. Boosts security through the granular management of user identities.
Cons: Typically limited to business use. Reduction in password reset requests could leave help desk workers doing crosswords.
2. Shared sign-on
Security Rating: F Convenience Factor: A
What it is:
Users employ the same “master” password across any number of sites, apps, forums and other resources.
Pros: One password for everything should be extremely easy to remember, even when the requisite upper and lower case letters, numbers and symbols are used.
Cons: This is perhaps the weakest of all password strategies. Even if the password is extremely challenging, once a hacker breaks it, he can get access to everything that shares that password -- banking sites, social sites, stock and 401k sites, and even retail sites that store credit card info.
3. Centralized Login
Security Rating: C+ Convenience Factor: A
What it is:
Centralized logins generally refer to plug-ins that monitor the browser for name and password fields. As the user fills them out, they offer the option to store the information for future use. In an alternative version of centralized login, the browser creates and stores its own password that even the user doesn’t know -- or need to know -- as long as the same browser type is used for each login. This can be combined with social login to provide a “no password experience” across multiple devices that have signed in to the same service.
Pros: Highly convenient and protects against brute force attacks better than using the same password everywhere.
Cons: Assumes that every one of the user’s computers and devices are secured with a very strong form of protection. If not, anyone that finds a lost device could gain entry to everything ever accessed via the browser.
4. Password manager
Security Rating: B Convenience Factor: B-
What it is:
There are several password management tools on the market today. These consumer-focused solutions usually create and store random passwords for future use. The tool will then recognize when a user revisits a site and offer to log them into it automatically. The user will still need to prove their identity by logging in to the password management tool, but will not need to remember the individual password for each site.
Pros: Simplifies the process by storing individual, randomly created passwords for any number of sites.
Cons: Consumer-grade technology. Centralized password managers store millions of passwords for millions of users, so they’re a prime target for bad guys. A lost master password can lead to complete account lockout for users, and total account reset.
5. Social Log-in
Security Rating: B- Convenience Factor: A-
What it is:
This method leverages a trust relationship between major social networks like Facebook and Google+ and secondary apps or websites to provide easy access for shared users. Once authenticated by Facebook, for example, users can visit any number of related (or unrelated) forums that offer the opportunity to “log in with Facebook.”
Pros: The password is managed directly by the consumer, so changing it regularly is easy and only needs to be done on the main social site.
Cons: Because they’re not tightly regulated, users often choose simple, easily cracked passwords. If the password is identified, hackers may gain access to everything the user accesses through their social login. Not only can they post as the member on the social media site directly, they can gain access to any other site or app that trusts the federated logon. And there’s no centralized management of which apps can or cannot be accessed, and no ability to manage the central password.
Bad News: Compromised credentials are at the heart of every recent corporate breach, as well as identity theft. We are under attack every day, whether we know it or not, and all that stands between us and the bad guys are usernames and passwords.
Good news: We have the upper hand – if we use good password hygiene and remember to leverage multi-factor authentication (MFA). All of the tools listed help to reduce the need for remembering multiple passwords, which in turn should make us better at making passwords that are complex and tough to crack. Plus MFA is simpler than ever to use, often requiring nothing more than a mobile phone. There is no silver bullet, but by better protecting our own accounts, we are also minimizing the threats other folks face as our lives grow increasingly digital.
Chris Webber is a Director of Marketing at Centrify Corporation. He is a security wonk, a cloud evangelist, a product guy, and a recovering IT professional. Having spent time at both Silicon Valley startups and global powerhouses, Chris developed his particular slant on cloud and mobile security at companies like Zscaler, Blue Coat Systems, Good Technology, and Pertino.