The average business user, according to Security Magazine, manages 191 passwords for professional use and dozens more for private use. An organization with 50,000 workers may have as many as 10 million passwords in use by its employees. With so many passwords, the security breaches that proliferate from cyber-attacks mostly come from vulnerabilities caused by passwords.
The risks come from passwords used that are too simple, easy to guess, used for more than one system, and not changed with enough frequency. The best practices for security include not using the same password on multiple systems. Most professionals know this rule. Nevertheless, 61% of the average business users admit to using the same password everywhere.
Another problem from this password bloat is that employees waste an enormous amount of time typing passwords.
One solution for the password management problem is to eliminate the need to use so many. Instead of using a group of passwords to access different online services, it is possible to use a centralized authentication method that comes from a “web-based single sign-on” (Web SSO) system.
What is Web SSO?
A web SSO system allows a user to log in using the SSO web service with one set of credentials for authentication, which are a unique username and password. Then, this authentication allows them to access many other web-based applications and password-protected websites.
Online services and websites that allow SSO for authentication rely upon a trusted third-party provider to verify the identification of the users.
How does web single sign-on work?
A web single sign-on system relies on a trust relationship between online systems and websites.
Here are the steps that are taken by web SSO systems for authentication when a user logs on to an online service or a password-protected website:
- Verify Sign-In: The first step is to check to see if the user is already logged in to the authentication system. If the user is signed in, access is immediately granted. If not, the user is directed to the authentication system to sign in.
- User Sign-In: For each session, the user must first sign into the authentication system with a unique username and password. The authentication system uses a token for the session that stays in effect until the user logs out.
- Authentication Confirmation: After the authentication process happens, the authentication information is passed to the web service or website requesting verification of the user.
Web SSO vs. Password Vaulting
Web SSO differs from having a secured vault of different passwords for various online services. Password vaulting is protecting multiple passwords by a single username and password. However, each time a user goes to a new online service this requires a sign into the service. Even if the form fields are automatically filled in from the password vault, there is still a sign-in process needed.
With Web SSO, once a user is authenticated, there is no need to sign in to any web service that uses that authentication system. This is called a “sign in once/use all” authentication process.
Building a Single Log-In Solution from Scratch
For some uses, it is possible to create a simple single log-in solution from scratch. An example of the source code using Java is given on codeburst.io for those inclined to give this method a try. It works using tokens. A token is a set of random and unique characters created for one-time use that are hard to guess.
The login by a user on the web SSO system creates a new session and a global authentication token. This token is given to the user. When this user goes to a web service that requires a login, the web service gets a copy of the global token from the user and then checks with the SSO server to see if the user is authenticated.
If the user has already signed in to the SSO system, the token is verified as authentic by the SSO server, which returns another token to the web service with the user’s information. This is called a local token. Token exchange is done automatically in the background without the user’s involvement.
Popular Website Single Sign-On Solutions
For more advanced uses, there are many robust single log-in solutions available. Authentication using website single sign-on solutions include these popular web-based SSO systems reviewed by Capterra:
- LastPass
- ADSelfService Plus
- Next-Gen Access Cloud
- SAP Single Sign-On
- JumpCloud DaaS
- OneSign
- Bluink Enterprise
- SecureAuth
- SAML Web Browser SSO Profile
- OpenID
Benefits of Web SSO
Web-based single sign-on is useful because it is convenient. It is easier, faster, and password help requests are reduced. Users do not have to remember multiple passwords and no longer need to sign in to every web-based service individually.
A popular example of web SSO is available for any Google Gmail account holder. With a single sign in to Gmail, those users gain access to all of Google’s products, which are made available to the user without needing to sign in again until they log-off from their Gmail account. Opening Gmail allows these users to have instant access to their Google Drive, Google Photos, Google Apps, and their personalized version of YouTube.
With web SSO, the time that would otherwise be wasted for signing into the various services is recaptured. Complaints about password problems are virtually eliminated for web services. The process of connecting to online services works efficiently across all devices, including mobile one, which improves productivity.
Enterprise-Wide Identity Access Management
Web-based SSO may be used by a large organization for authentication. The web SSO allows a single sign-on for the user to access private company data and networked systems as well as use online resources provided by other entities that accept the same authentication protocols.
SSO Integration with Popular Web-Bases Services
External single sign-up/log-in services offer integration with many popular web-based applications such as Dropbox, Microsoft Azure Active Directory, New Relic, Salesforce, SharePoint, Slack, Zendesk and many more.
Facebook and Google offer SSO integration with thousands of web-based systems. Every time a user wants to sign up for a new service that has this SSO integration capability, the sign-up/log-in screen will offer a sign-in process by using information from Facebook SSO, Google SSO, or a non-SSO option by using a user’s email account as the username and a user-chosen password.
Web SSO Integration with Cloud Services
Cloud services have their methods of cloud user access management and may also accept authentication from third-party systems. For example, Amazon Web Services (AWS), which is the largest cloud -services provider in the world, offers its system of identity access management within AWS and allows user-authentication by third-party systems.
The connection made with the third-party systems is achieved through the AWS IAM Authenticator connector. This feature allows the system administrators to choose from many services that provide web SSO, such as the connection made with Amazon EKS to open-source Kubernetes or Github.
Security Risks of Web-Based Single Sign-On
There are tools to improve IAM security that help enterprises manage the risk. Web SSO reduces some risk while increasing other risks.
For example, phishing attacks are less effective because when a user is being tricked by a fake copy of a website, they do not log on by giving a username and password. If the website is fake, it is not trusted by the SSO server and does not get a local session token if it tries to submit a global user token to request it. In this case, the log on from the fake site will fail automatically, which protects the user from being fooled by the attempt.
The increased risk may come from having a single username and password for the SSO authentication system. This confidential data needs to be protected extremely well because if it is stolen it can be used to log in to many online services.
Securities strategies based on a zero-trust policy, such as multi-factor authentication, automatic password re-sets, requiring complex passwords that are different for each password reset, and device access controls are helpful to increase SSO system security
Conclusion
Web SSO is very convenient and widely used. However, all web SSO systems are not created equally. Careful selection of the SSO authentication provider is the first rule of using this type of authentication. Any data breach of this third party could expose log-in credentials that can access many online systems potentially causing serious damage.
CTOs and IT administrators are encouraged to conduct regular IT security reviews of their SSO authentication procedures and to follow a zero-trust strategy. A comprehensive security review includes an in-depth security evaluation of any third parties that provide authentication services.
