Separating single sign-on myths from fact
by Geoff Webb - Director of Solution Strategy at NetIQ - Tuesday, 26 February 2013.
Myth #3: SSO reduces security

This outdated belief stems from that assumption that SSO provides a single set of keys to the kingdom, and that once those keys are in the wrong hands, then all applications will be at risk. But the truth is that when used properly, SSO actually increases security by enabling more complex authentication policies, randomizing passwords, enabling re-authentication within an application as needed.

In addition, SSO solves one of the biggest, long-standing and most intractable problems of security: leaving password management in the end users’ hands. Everyone knows that having strong, unique and regularly-changed passwords (that are not all written down in one place) is important for maintaining basic security of end user accounts. However, whether we are talking about work or personal accounts, as we all know that these best practices are seldom followed by end users without some form of enforcement mechanism from IT. A SSO solution requires users to remember one, secure password for everything they access, rather than forcing them to have many similar passwords (which will often be much weaker.)

Myth #4: SSO is only for internal users, not public-facing services

This last misconception deals with much more recent trends in IT, and requires a more thorough response.

As we discussed earlier in this article, SSO allows you increased efficiency in management, security and the ability to grant users access to online services. As organizations start to deepen their interactions with their customers or users, then they want to provide online access to services which are more personalized. One approach is to use the concept of social identity. This approach uses existing online identities, such as those created with services like Facebook or LinkedIn, and allows the same identity to be used to access a business’ or government entity’s services.

Social identity allows organizations to engage with users with the least amount of friction, at the lowest cost, and with minimal management burden. It also allows a business to grant more access to more people with less overhead and management headache, and therefore, provides an organization with SSO functionality to access public-facing web services. Therefore, SSO and social identity are complementary concepts that organizations can use to enable frictionless access to anything, from anywhere from any device, based upon an individual’s identity.

BYOI and the way forward

When we look at how things are evolving and changing with the consumerization of IT, it is likely that we are going to have to continue to assess how to utilize both SSO and social identity frameworks support business objectives.

We want to achieve verifiable identity based upon unique identities, within the given context of what those identities are seeking to access, from where, when and with what device. Therefore, social identity may provide the first step in authenticating an individual, but would need to be part of a process of secure and scalable authentication.

It may be that it is all that is required to access some services, or be part of a multi-factor authentication approach to really verify identity in order to access other, more sensitive data.

As social identity becomes more ubiquitous, we are already entering the era of “Bring Your Own Identity” (BYOI), where user identity is decoupled from traditional control, while businesses have the ability to rapidly provision, deprovision and manage individual access of data across public and private cloud services.


Most IT pros have seen potentially embarrassing information about their colleagues

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by AlienVault.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th