For today’s enterprise, maintaining an arsenal of effective network tools is all about access.
Organizations need to provide access to a slew of online programs and applications to the right people in order to streamline operations.
To accomplish this, organizations utilize methods to maximize the use of digital identities for multiple users. Single Sign On (SSO) and its variant called Federated Identity tend to be the go-to mechanisms for most organizations.
The problem is, most companies don’t appreciate the differences between these two methods, as well as the implications they’ll have for employees and overall company security.
What is federated identity and how does it work? How does it differ from SSO?
What are the risks and benefits involved with these methods of digital access?
Single Sign On: The key to access diversity
In the early days of the internet, the web’s infrastructure was not built to accommodate diversified identities. Multiple logins by a single digital identity was considered something to avoid from a cyber security perspective. Which it indeed is.
The drawback to this is that having to log on to different web applications separately and distinctly is cumbersome, time-consuming, and most importantly, kills workflow. The industry had to find an answer to this problem quick.
Enter Single Sign On (SSO).
SSO is a simple yet vital function that allows multiple web applications to be accessed simultaneously. Its what lets you, for instance, browse your Gmail account in one tab and open YouTube in another. It is also the tool in which web services grant you access to different sections in the same broader account. Consider online banking for instance. A user can typically move from their checking account to savings account without re-entering login credentials, even though these two accounts are very distinct. When online bank clients clicks on another section of their accounts, the site re-authenticates them using the same credentials entered during the original login.
What is an Example of Single Sign On (SSO)?
There are many SSO solutions in the market. Active Directory (AD) is an example of a SSO because all domain resources joined to AD can be accessed without the need for additional authentication. SAP, Oracle, IBM and others offer SSO solutions for enterprise use. Okta, OneLogin and others specialize in single sign on for web applications.
What are the Advantages of Single Sign On (SSO) ?
To name a few of the many advantages provides an organization
- Access logs – an SSO portal provides detail reporting on who accessed what
- Session time – by eliminating credential reauthentication users spend less time on the authentication process leading to improved productivity.
- Centralized database – one database that includes logs for authentication and authorization to support compliance and administration.
- Fewer credentials means a lower chance of phishing – phishing emails and social engineering are nearly impossible
- Reduce help desk costs – reducing the amount of credentials (passwords) translates to fewer help desk calls which are estimated at 20 – 50% of all help desk calls.
What are the Disadvantages of Single Sign On (SSO) ?
The main disadvantage of SSO is in its use of one set of credentials, if those credentials are not protected correctly and are stolen the thief has access to your entire kingdom.
Companies should always use a 2nd factor to login to SSO (at the very less), companies who take security seriously will use multi factor authentication (MFA).
The second less talked about disadvantage to SSO is the fact that while it provides single sign on it does not provide single sign off, the logoff process varies from application to application and depends on the settings of the application, user sessions usually stay active long after the user has completed his/hers use which can easily lead to session hijacking.
Federated Identity Vs. SSO
While the advent of SSO brought great convenience to users it left some holes unfilled.
For one, users have to rely on any given application to support multi-factor authentication (MFA) for additional protection. The user still has to remember all the different passwords for each site they’re using or resort to a password manager. SSO also creates potential security liabilities. For example, any user with login credentials for a specific service will continue to have access until their account is manually deactivated. This inevitably creates the scenario in which employees maintain access to company services long after they leave the company. It also results in the company still paying for licenses that are assigned to former employees. These factors can make SSO both costly and insecure.
What is Federated Identity Management?
The concept of Federated Identity Management (FIM) was introduced to address these issues.
FIM is the set of agreements and standards enable the portability of identities across multiple enterprises and numerous applications to support large numbers of users.
It is essentially an arrangement that can be made among multiple organizations that let subscribers use the same identification data to obtain access to an application, program, and even the networks of all members of the group. This is the important difference between SSO and Federated Identity. While SSO allows a single authentication credential to access different systems within a single organization, a federated identity management system provides single access to multiple systems across different enterprises. In such a system, users do not provide credentials directly to a web application, only to the FIM system itself.
It’s all about trust
The advantages of Federated Identity over standard SSO have made this method the preferred option for many medium to large companies.
The problem that many companies skim over though, is that, at a fundamental level, FIM still leaves open the fundamental security problems of identity diversification created by SSO.
How is this?
Any Federated Identity system is based first and foremost on mutual trust. Each party using the federated identity credentials are essentially allowing all the other members to access information contained on, and track activities of the shared application. This risk is exponentialized when dealing with sensitive applications such as data management software and other programs that deal with personal data. Furthermore, FIM systems really on the constant communication back and forth by individual users and a centralized identity provider (IDP) in order to authenticate and grant authorization. If for some reason the metadata used to authenticate a user to the IDP was compromised, through unintended leaks, or more classical hacking methods such as phishing attacks, a criminal would be granted the same access to the federated identity provides to all other partners.
While many solutions exist to make FIM more efficient, pretty much all still leave open serious security risks.
The New Paradigm
The SSO solution of Secret Double Octopus is a paradigm shift in managing multiple users to the same web platforms and applications. Unlike other authentication tools, it does not rely on metadata that a user needs to remember and then submit in order to be authenticated. Additionally, communication between the user’s device and the platform is accomplished via Secret Sharing, meaning partial information using multiple layers and routes is transmitted at a time, preventing the interception of any usable data by an adversary.
Diversifying digital identities ramps-up an organization’s work efficiency by reducing authentication time for all cloud and on-premise programs and applications. It should not have to come at the cost of a company’s network security. Incorporating the right authentication tools at the individual user level can allow an organization to reap the full benefits of SSO.