Ask the Expert

How SSOs differ from login and passwords

In a previous tip, you classified login and password as High risk and SSO as Medium risk. If login and password are HIGH risk, why would SSO, relying on login and password be a reduced MEDIUM risk?

    Requires Free Membership to View

SSO systems are quite complex and are deployed differently than single authentication systems because they have to synch with diverse types of authentication databases and directories. That means they have stronger built-in controls. Additionally, because SSO systems are a front end to applications, they sit inside a corporate firewall, behind a DMZ, and aren't exposed to users outside the company. For these reasons, I ranked IDs and passwords higher than Single Sign-On (SSO).

But what about remote users on VPNs, you might ask? Aren't these external users going through the firewall to access internal systems through an SSO system? The answer is yes. However, because the user has to log in to the VPN first, using a separate login -- they would first have to breach the VPN before they could even attempt an SSO login breach.

With that said, your point is still valid. On the surface, SSO by definition is a single point of access and could be seen as a single point of entry for a malicious user. However, with the mitigating controls just described, I felt the risk of SSO was lower than that of a simple user ID and password system.

This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: