I posted a few days ago about the password length vs complexity vs. multi-factor authentication debate. One of the assertions I made was that it is essential to tie in SSO with multi-factor authentication. Now, I did not assert in my post that SSO makes multi-factor authentication more secure as Chris Hoff says I did in his post. However, that was a point I wanted to make, so I am not quite sure why I didn’t do it. So, without further hesitation, I now officially contend that it does make a system more secure in many ways. SO, let’s look at them:
1. Lowered password complexity when coupled with one or more other factors actually makes for stronger security.  Chris, rightly so, blames many of our security woes on users. But I believe that the user is less likely, not more likely, to write down a PIN number so he / she can remember it than if they had to remember a strong, complex password (even if they use passphrases). Yes, I see some users writing their PIN on their RFID card, just like their ATM cards. But you know, many of those lessons have been learned out there already because ATM security has been beaten into people over the years. Approach it as being very similar to ATM’s, and a light comes on immediately. Believe me, I have seen the look of comprehension on quite a number of user faces as I explained a card and PIN in this manner. I actually think this is the least worrisome of the issues.
2. Most SSO vendors allow for scripting of password changes. This allows the system to change a password automatically, and (if the system supports it) it can replace the password with a complex AND long password that is not crackable in today’s world and that the user has no knowledge of.Â
3. Number 2Â also lowers the social-engineering vulnerability from the user’s side because I can’t impersonate Joe Admin and ask for your password.
4. With a properly implemented SSO solution, you have a lessened need for password resets, which lowers you vulnerability to social-engineering from the admin side (someone impersonating a user).
5. In looking at the good ol’ CIA triad, availability is one of the points of the triangle. Many people forget about this point and just secure the crap out of the network while forgetting that the resources need to be available. Making the authentication process more difficult is not complete security. A SSO coupled with multi-factor can make the login process easier while also creating a good layer in your DID infrastructure.
Speaking of DID, Chris makes the point that the SSO structure adds another attack surface. Well, if it’s worth can be shown as a valid security layer (as I hope I have done to some degree above), then it simply adds another attack surface just like every other layer adds surface or platform for launching attacks. Your firewall can be used to attack you if it is compromised.  So can your IDS / IPS and other security layers.  Your SSO vendor, just like any other, has to prove that they are making a secure product so it can’t be easily compromised. They have to protect the keys that are inside the SSO vault. But when you consider that many of the major security vendors like RSA, Citrix (yes, they are good at security), CA, Novell, etc. are pushing their SSO solution, I think you have many valid choices.
As to mutual authentication, I am totally and completely in agreement that this is where we need to go. But how many security vendors are pushing this as a mainstream solution today for SMB’s? I can sense the swing, but I have to make sure my advice is attainable now, not 5 years in the future. And I think if you want to mitigate the risks of passwords, the SSO coupled with multi-factor authentication is a valid choice TODAY.
Vet
