Password fatigue is a common problem for employees who are often required to create, manage, and remember passwords for many different accounts. A common solution to this problem is for employees to reuse passwords across multiple accounts. However, while this can reduce the burden on employees and improve efficiency, it does so at the cost of security.
Single Sign On (SSO) is a service that is designed to mitigate password fatigue without compromising security. Employees are presented with a single sign-on screen when authenticating to the environment, which verifies their identity. This authentication is then carried to other systems within the network, enabling employees to use them without remembering a password and logging in for each of them.
Traditionally, most applications and systems manage authentication and access management individually. When a user wishes to log into a computer or an application, they provide a set of login credentials that are compared to the set kept on file. If the credentials are accepted, then the user is granted access to the desired resource.
SSO keeps this process but applies it to authenticating to the network as a whole. When a user first logs into the network, their authentication information is transmitted to an authentication server, which validates their identity and the access controls assigned to them. After that, when a user wishes to log into a new system or application, their access request is forwarded to the authentication server. Based upon its built-in access control policies, the server tells the system or application to either allow or deny access.
Since the application server has already verified the user’s identity and tracks it throughout their session, they no longer need to individually authenticate to each application or system that they use. This eliminates the need for these resources to implement their own authentication systems or for a user to create and recall a unique password for each resource.
SSO centralizes access management for a network into a single authentication server. By doing so, it provides a number of different benefits to an organization and its employees, such as:
The actual SSO protocol is secure and relies on the authentication server to manage and approve or deny access requests. As long as this server is well-protected and an organization’s access control policies are well-designed, then a malicious user or an attacker with access to a compromised account will have their access restricted to the permissions assigned to that account.
The primary benefit and risk of SSO is that it allows a user to access everything after authenticating once. This means that an attacker with control over a legitimate account can access anything that account is permitted to access without being required to enter any additional passwords.
However, the use of SSO means that an organization can more easily and effectively deploy solutions like MFA to make this scenario less likely. Additionally, while a user may not need to authenticate multiple times to access various systems, an organization can still perform behavioral analytics to identify anomalous or suspicious activity that could indicate a compromised account. If such activity is detected, the security team can take action to lock down the compromised account.
Implementing SSO across an organization’s entire environment is possible with a standalone solution. However, it is much easier to deploy, configure, and maintain if the solution is designed to be integrated from the start. This requires an SSO solution to offer support for secure remote access, cloud-based deployments, and an organization’s on-premises data centers and endpoints.
Check Point offers solutions in all of these areas, making it simple and painless to deploy SSO across the enterprise. To see Check Point’s solutions in action, you’re welcome to request a free demo.