How SSOs differ from login and passwords
In a previous tip
, you classified login and password as High risk and SSO as Medium risk. If login and password are HIGH risk, why would SSO, relying on login and password be a reduced MEDIUM risk?
systems are quite complex and are deployed differently than single authentication
systems because they have to synch with diverse types of authentication databases and directories. That means they have stronger built-in controls. Additionally, because SSO systems are a front end to applications, they sit inside a corporate firewall
, behind a DMZ
, and aren't exposed to users outside the company. For these reasons, I ranked IDs and passwords
higher than Single Sign-On (SSO).
But what about remote users on VPNs, you might ask? Aren't these external users going through the firewall to access internal systems through an SSO system? The answer is yes. However, because the user has to log in to the VPN first, using a separate login -- they would first have to breach the VPN before they could even attempt an SSO login breach.
With that said, your point is still valid. On the surface, SSO by definition is a single point of access and could be seen as a single point of entry for a malicious user. However, with the mitigating controls just described, I felt the risk of SSO was lower than that of a simple user ID and password system.
This was first published in March 2006