Remember the promises of single sign-on (SSO)? "One user account and one password are all you need," the vendors...
proclaimed. Even before Active Directory became mainstream, many vendors were touting SSO solutions. But that was in the mid-1990s.
Fast forward to today. We've got Active Directory, eDirectory, Federated Identity solutions and so on. But we're still having to manage multiple user accounts and passwords in many areas of what we do with computer systems, including:
- Hard drive encryption
- Windows operating systems
- Web/POP3/SMTP email
- Internal websites
- External websites
- Database systems
- Word, Excel and PDF documents
- VPN connections
- Remote desktop connections
- Mainframe systems
Ask any given user -- even Windows admins -- and you'll hear that true
So what happened to the promises of one user ID and one password? We could chalk up these broken promises to growing information system complexities. We could credit the Internet and rich applications for pushing the need for authentication out past the OS layer. In the end, it doesn't matter why we have to remember dozens of sets of login credentials. The fact is, it's a problem and we need a solution.
Are tools the answer to SSO problems?
Although SSO and Federated Identities as we know them are arguably still in their infancy, there are some solutions on the market today that can help ease the pain of logon credential management. CA, IBM and RSA, for example, have enterprise solutions.
Based on what I've seen in my work, however, all but the largest enterprises can justify going this route. If your network falls into the less-than-gargantuan-sized category, there are also some smaller vendors that offer their own unique approaches to the SSO issue. Products such as Quest Software Inc.'s One Identity Solution and nFront Security Inc.'s Passfilt Pro help integrate multiple passwords and enforce policies across systems in their own unique ways.
Going beyond OS-level authentication, a Web form filler application such as Siber Systems Inc.'s RoboForm may be all you need. Hewlett-Packard Co. even has its own OS and application-level authentication solution built into its business-class mobile systems called ProtectTools Credential Manager. I have it on my system and I can see how it would be a great way to manage login credentials across the board for mobile users.
Will there ever be an end-to-end solution to our SSO dilemma? Yeah, maybe once we all have RFID chips implanted somewhere in our bodies. We'll simply walk up to the computer and login to everything at once. We go away, we get logged out. As scary as that is to me, I do envision something along those lines being a reality one day.
I'm still optimistic about today's current offerings. If you do go down the SSO road, just make sure you're doing it for all the right reasons: security, convenience, productivity and reducing business risks. Otherwise, your SSO solution could end up getting in the way of things and lead to people and processes increasing security risks (i.e. unauthorized access and breaches) rather than minimizing them.
Check out the existing solutions offered by third-party vendors as well as your current configurations. As with HP's ProtectTools you may already have the solution you need, at least for a subset of your users. Don't wait for Microsoft to solve this problem because it's not really Microsoft's to fix. Just know that until every OS speaks the same language as every application across the board, this is a network management, user education and security issue we're going to have to balance on our own terms.
About the author: Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.