If you have signed into Gmail and noticed that you were also able to access Google portfolio apps such as Google Maps, YouTube, Google Play, Google Photos and other Google applications, you are already using SSO! The user logs in once to a Google account, and has access to other Google applications.
Single Sign-On happens when a user logs into one application and then is able to sign into other applications automatically, without being prompted for passwords, regardless of the domain they are in or the technology they are using. SSO makes use of a federation service or login page that orchestrates the user credentials between multiple applications. In the above example, this service is Google Accounts.
SSO reduces password fatigue for users having to remember a password for each application. SSO also streamlines security by centralizing provisioning and maintaining the same security rules across applications. Unlike in the past, a user’s access may be easily revoked across all applications when an employee leaves.
However, as applications are web-enabled and delivered through cloud or on premise deployments, we can assume that application-specific cyber-attacks will continue.
Securing these applications is a complex task, in terms of provisioning and maintenance, but especially in terms of securing access. Authenticating users by having them provide their identity, and challenging them to verify their identity are some of the aspects of securing access.
Balancing convenience with caution – Multi-Factor Authentication (MFA)
As single sign-on provides access to many applications once a user is authenticated; this convenience also increases the impact in case the user credentials are compromised.
According to Wikipedia, “Multi-factor authentication (MFA) is a method of access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).”
The more commonly used form of MFA is a two-factor authentication (2FA). An example that many of us are familiar with is using the password as the first factor and providing the second factor such as a PIN through a token generator such as RSA SecurID, one time password (OTP) or once received through a phone call, SMS message, or an email.
There are other variations, especially when a user is not personally known to the organization. For example, credit companies extract information from the user’s credit file and present them as challenge questions, and use them as one of the factors, before granting access to sensitive credit information.
SSO is great for convenience, but the fact remains that some hackers would want that user credential since it represents access to restricted information and money. MFA adds a layer of security to application access, making it more difficult to hack.