Single Sign-On (SSO): How to differentiate the good from the bad when it comes to user experience and security

Launching a Single Sign-On (SSO) project in an organisation is often linked to the user’s dissatisfaction with the current IT system, and the need to remember countless logins and passwords to access everyday applications.

In the absence of an application designed to remember IDs and passwords and input them automatically for the user, many users tend to bypass security policies. They choose either weak passwords (few characters, simple, easy to guess),  write them down, or give them to trusted colleagues while they are out of the office.

For the Chief Information Security Officers (CISO), the absence of SSO results in unacceptable weaknesses including incompatible security strategies and password policies for each application, varying levels of security and complicated audit or traceability. Last but not least, the cost to businesses is very real. Industry analysts maintain that the cost to reset user passwords and having the necessary support teams in place represents several dozens of euros per user and per year for large organisations.

All of these issues can easily be resolved with the implementation of a SSO solution. SSO considerably improves the user experience by only having to authenticate once, via the primary authentication method defined by the company. The SSO solution then automatically authenticates the user across other applications they want to access, using their secondary credentials. There is no need to remember multiple passwords, SSO takes care of it. This provides added peace of mind for both users and the IT security team.
Once the budget for an SSO project is approved, the CISO typically manages the implementation and oversees the project. This process should always start with answering some basic questions, such as how to differentiate the good SSO solutions from the bad ones?

A bad SSO solution is limited to solely SSO features. A good SSO solution adds to the basic functions already in place with additional features essential to IT security. These features include strengthening authentication mechanisms and access control logics – limiting authenticated user’s access to specified applications – and tracing access to all protected applications.

Before automatically authenticating a user on an application, a good SSO solution will strongly authenticate them and control their rights. It then improves the user experience and traces their activities including authentications, authorisations and delegations. Security is therefore maximised before (through authentication and access control) and after (through traceability) the SSO operation takes place.

What to look out for in a good SSO solution

  • Authentication: As access to all authorised applications is automatic once the user is primarily authenticated, it is essential to ensure that the primary authentication is properly secured. Any SSO solution should offer several one, two or three factor authentication methods (something they know, something they have and who they are). This will depend on the security method used including smartcards, USB keys, etc. and the sensitivity of each application. Authentication must also be possible across all devices (fixed workstations, laptops, tablets and smartphones), on web portals accessed from inside or outside the organisation and in virtualised environments.
  • Access control: Once the user is authenticated on the SSO solution, it should be possible to grant access, or not, depending on various criteria. This includes the level of primary authentication (one, two or three factor), time slots, origin IP/DNS, user profile provided by the company’s directory or the access rights management solution and type of device (PC, tablet, smartphone).
  • SSO: SSO must be accessible across all applications including web applications, client server applications, virtualised, mobile, internal or external, in the office or at the partner’s location, in SaaS or Cloud mode, controlled or not, etc. In short, it must cover Web Access Management, Enterprise SSO and Identity Federation. Organisations using only web applications or external applications are largely a thing of the past.
  • Traceability: For all protected applications, reports, audits, authentication statistics, authorisations and delegations should be visible from a single source.

Good SSO serves all purposes: users enjoy quick and easy authentication to all authorised applications and the CISO can apply comprehensive security policies covering the entire IT system. SSO strengthens authentication and allows for traceability to all controlled applications. In addition, the Chief Finance Officer (CFO) can considerably reduce the cost of managing and renewing user passwords.

Why choose between user comfort and increased security when you can have both?