Problem solve Get help with specific problems with your technologies, process and projects.

How SSOs differ from login and passwords

Learn how SSO systems and login and passwords differ, and which systems are more likely to be exploited and why in this Ask the Expert Q&A.

In a previous tip, you classified login and password as High risk and SSO as Medium risk. If login and password are HIGH risk, why would SSO, relying on login and password be a reduced MEDIUM risk?
SSO systems are quite complex and are deployed differently than single authentication systems because they have to synch with diverse types of authentication databases and directories. That means they have stronger built-in controls. Additionally, because SSO systems are a front end to applications, they sit inside a corporate firewall, behind a DMZ, and aren't exposed to users outside the company. For these reasons, I ranked IDs and passwords higher than Single Sign-On (SSO).

But what about remote users on VPNs, you might ask? Aren't these external users going through the firewall to access internal systems through an SSO system? The answer is yes. However, because the user has to log in to the VPN first, using a separate login -- they would first have to breach the VPN before they could even attempt an SSO login breach.

With that said, your point is still valid. On the surface, SSO by definition is a single point of access and could be seen as a single point of entry for a malicious user. However, with the mitigating controls just described, I felt the risk of SSO was lower than that of a simple user ID and password system.

This was last published in March 2006

Dig Deeper on Single-sign on (SSO) and federated identity

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.