Single sign-on (SSO) – the best prescription against password fatigue?
Single-sign-on is a type of authentication service that lets users sign in to many applications using just one set of login credentials.
As general awareness about the importance of cybersecurity continues to grow, businesses refine and update their security policies. The updated policies feature various rules and standards designed to make businesses more resilient to cyber attacks, including rules about how users access business applications.
Balancing security concerns with continued productivity poses a challenge that sign-on can provide a solution to.
The Password Fatigue Problem
As cybersecurity became more of a pressing concern for businesses in all industries, information security decision makers realized that poor password hygiene was a common source of cyber risk. Employees signing into workstations and business applications could have their credentials compromised due to weak passwords reused across disparate systems.
To this day, stolen credentials remain a persistent cause of data breaches. In fact, a 2020 data breach at hotelier Marriot International was caused by two employees having their login credentials compromised.
The solution for many companies is to update password policies so that they require more complex passwords with minimum length stipulations, the need to use certain characters in passwords, and pre-defined expiration durations. These password policies were enforced using directory services like Active Directory.
Modern employees access several different business applications for their daily work. These apps are accessed across a hybrid IT environment with both on-premise and cloud-based applications. One study found that the average number of apps used by the modern worker is 9.39.
An unintended outcome of increasingly robust password policies for accessing all these resources is password fatigue. As employees try to remember and manage passwords for different resources, some of the following unwelcome actions impair productivity:
- Employees spend too much time trying to remember passwords to different systems
- IT helpdesks easily get overwhelmed with password reset tickets
- Even if a business has a self-service portal for resetting passwords, employees spend too much time using it because they regularly forget passwords
The password fatigue issue represents an alignment problem between productivity and security. Furthermore, user experience is also negatively impacted for employees and IT help desks.
The password fatigue issue was exacerbated during the pandemic when businesses needed to provide access to apps and resources for their newly remote workforces. To help combat this problem and facilitate better security without impairing productivity, many businesses are turning to single-sign-on.
What is Single Sign-On?
Single-sign-on is a type of authentication service that lets users sign in to many applications using just one set of login credentials. The SSO service typically uses a standards-based token exchange (Kerberos, SAML, OpenID) to communicate authentication information between apps (service providers) and an identity provider. Find out in more detail about exactly how single sign-on works.
SSO traces its history to on-premise directory services, such as Active Directory (AD). It was straightforward to facilitate single-sign-on access to Windows systems and apps within the confines of the local network perimeter. Custom-built solutions providing SSO technology on-premises were known as enterprise SSO or intranet SSO, and papers discussing such solutions stretch back to the mid-1990s.
As web-based services started to become more popular, browser-based mechanisms and solutions started to become necessary for SSO. These solutions plugged a gap between AD and the web applications that companies were using more of.
As IT decision-makers began investing heavily in cloud infrastructure, the need for hybrid deployments grew. Modern SSO requires authenticating across legacy on-premise apps and those based in the cloud.
Single Sign-On Benefits
By its very definition, SSO combats the password fatigue issue that afflicts employees. The specific benefits of SSO include:
- Increased productivity: When employees no longer waste time trying to remember and reset passwords, they can focus on doing the tasks that deliver actual business value. One case study of an educational institution found that SSO saved 2,500 hours of time.
- Better user experience: The ability to sign in to relevant business apps and resources in one go also improves user experience. Interfacing with business technology becomes more convenient and stress-free for people, which can boost satisfaction with their jobs.
- Reduced help desk burden: There are far fewer password reset requests to deal with for IT helpdesks. Employees can still forget their passwords, but this issue becomes much less frequent.
- Reduces unsafe password management: When people need to remember multiple passwords for different systems, poor practices can creep in, such as writing passwords down on post-it notes or saving desktop documents with all passwords written down.
Single Sign-On Challenges
Password Policies Remain Important
Businesses should still use sensible password policies that lead to strong passwords for SSO. A weak password where there is a lack of other authentication controls means any credential compromise gives access to multiple resources rather than one.
App Visibility is Necessary
Most businesses use well over 100 different apps across their hybrid IT environments as specialized cloud services continue to proliferate and handle various operational use cases. Visibility is critical over all apps to ensure they are integrated with the SSO service. If users find that they need to start remembering several different passwords again because certain apps were ignored by an SSO implementation, the password fatigue issue repeats itself.
Complementary Authentication Methods Are Needed
SSO on its own without any other authentication methods increases information security risks. For particularly sensitive apps or data, it’s vital to leverage risk-based authentication solutions that can contextually analyze user behavior and request other categories of evidence to verify identities before authentication is granted (multifactor authentication).
The Future of SSO
It’s likely that future SSO will become passwordless, which will mean that the initial login uses a different type of user authentication than the traditional username-password combination. For example, users may provide a biometric identifier to get access to all of the business apps they need. More comprehensive SSO implementations will enable seamless access to any IT resource rather than just applications.
Editor’s Note: Ronan Mahony is a freelance content writer mostly focused on cybersecurity topics. He likes breaking down complex ideas and solutions into engaging blog posts and articles. He’s comfortable writing about other areas of B2B technology, including machine learning and data analytics.