When we meet with a customer, we first like to build a common ground with regards to nomenclature. In the identity management field this is especially true because terms are used differently by different people/organizations. We find this to be especially true with discussions around the topic of SSO (Single Sign-On).
What does SSO mean to you? Does it mean you log in one time and never get challenged with an ID/Password again? Does it mean you are always challenged for an ID/Password but they are the same across systems? Or, does it mean you never need an ID/Password and instead you use physical or biometric authentication? The reality is that there is no right or wrong answer to "What is SSO?". However, we do put our own terms to use and I thought I would share those. Identity Automation sticks with two terms with regards to SSO: SSO (Single Sign-On) and RSO (Reduced Sign-On).
The SSO term, for us, defines a euphoria where the end user logs in once to access their workstation. This initial authentication could be an ID/Password challenge or some passwordless challenge such as using physical or biometric means of authentication. Subsequent application access will not challenge the user for further authentication. The challenge still exists but it is handled by some type of software layer that knows the user's credentials and is populating them on behalf of the user.
The term RSO is significantly different. The concept of RSO is that the number of ID/Password combinations an end user will need to remember is "reduced". In other words, the end user will need to authenticate to their workstation AND to each application; however, the ID/Password will be guaranteed to be the same on each challenge. This scenario is also a euphoria in its own respect depending on the number of applications in the environment that require authentication.
Now, neither term or approach is considered "best practice" or the right answer. There are use cases that make sense for both. In fact, it is more common to see both SSO and RSO used in an organization than just one or the other.
There are many factors when determining which method(s) to use. Just to name a few there are security, cost, and usability concerns. To implement SSO, you must deploy an SSO product and "train" that product how to authenticate to each system in the environment. For RSO, you must implement a combination of password synchronization and centralized authentication (e.g. LDAP) solutions. Neither of these are "quick wins" but both have significant long term affects for the organization.
Currently, Identity Automation is working on a passwordless SSO solution through our partnerships with key technology providers. The end result will be a solution that greatly simplifies the end user experience and provides the utmost security. The solution will utilize biometric authentication to the workstation and then a combination of products to provide the SSO to the remaining systems that end users would access during that session. The use of biometric authentication means no more remembering passwords, no sharing passwords and no password guessing. Although hardware costs are significant, the ROI to the organization is typically realized in short order, especially when you take into account the intangible savings provided by the enhanced security.
For more information, please submit your contact information and one of our sales representatives will contact you.
Comments