9.1 Single sign-on: Pros and cons

A study conducted by the Network Applications Consortium (http:// www.netapps.org) in large enterprises showed that users spend an average of up to 44 hours per year to perform logon tasks to access a set of four applications. The same study measured the content of the calls to companies’ helpdesk: 70% of the calls were password reset requests.

SSO is advantageous for both users and administrators. There is no need to point out that a user and an administrator’s life becomes much easier if they have to deal only with a single set of credentials—one for every user. An average user will have to provide his or her logon credentials only once every day, and he or she will need to change only a single set of credentials at regular intervals. Indirectly this will increase a user’s productivity. The authentication infrastructure, its administrators, and helpdesk operators will only need to keep track of the changes to a single entry for every user in the credential database. A key advantage is also that all authentication data are centralized and can be accessed and manipulated using the same tools and procedures. The latter may also be a weakness: If a malicious person gets to the database and can bypass its security system, he or she gets access to all of the data at once.

The advantages of SSO are not only related to the ease of administration and use, but SSO also brings important security advantages. Centralization eases the enforcement of a consistent authentication policy throughout the enterprise. Obviously, it is also much easier to secure a centralized than a distributed infrastructure. The lack of SSO services increases the risk for compromise of an authentication service’s security. For example, because users need to keep track of different password credentials, they may start writing them down on Post-it notes and stick them to the back of their keyboards. Indirectly the absence of SSO can also affect the availability of an authentication service. The more passwords users have to remember or keep track of, the greater the chances that they forget or lose them.

A good SSO solution is also platform- and/or application-neutral: It can hide the authentication implementation details on different operating system platforms from the SSO user and can provide support to “outsource” the application-level authentication logic to a centralized SSO authentication authority.

An often-heard argument against SSO is that SSO credentials are the “key to the kingdom.” If one can obtain the SSO credentials, one obtains access to all resources secured by them. This risk may be reduced when choosing SSO credentials that are not knowledge-based (a classic example of knowledge-based credentials are passwords) but rather biometric-based (e.g., using fingerprints) or possession-based (e.g., using cryptographic tokens or smart cards). The use of multifactor authentication solutions for SSO will further reduce this risk.