One Password, Multiple Problems
By Stephanie Blanchard, Assistant Editor & Lori Castle, Editor in Chief
Greg Kreizman, Research VP, Gartner, sees the enterprise embracing single sign-on. “I spend the better part of my day talking with companies in almost every industry about this topic,” he said, via email to Mobile Enterprise.
In an earlier announcement
he explained, “The proliferation of mobile phones and tablets with a variety of operating systems has created the latest and greatest challenges to authentication and SSO.”
There is a reason. Using a single password across multiple apps, especially if it is a simple password, is a security risk. Hackers who steal passwords from one app can impersonate users from others. (Hackers can find other apps the user frequents, actually automating the process to obtain logins.)
Despite this, even security professionals, those who presumably would know better, admit to using poor password security practices.
A survey, conducted by Ping Identity at the 2013 RSA Conference, showed that 83% of respondents use the same password across multiple apps. The conference’s theme is “where the world talks security,” and attendees are typically chief security officers and other executives who are charged with ensuring that enterprises use technology safely. So Paul Madsen, Senior Technical Architect for Ping said, “I thought we’d see better practices.”
“It’s disappointing,” said Roger Oberg, VP Marketing at Ping. “Professionals are more aware than the general public, but like everyone else are trying to get the job done, so they are making passwords work for them.”
Oberg went on to say, “If security professionals are doing it, imagine what people who are less aware are doing. Passwords aren’t going away, as they are a way to authenticate, but they should be fewer and much stronger.” In practice, however, it’s hard to have 100 strong passwords, he noted.
Indeed. The survey showed that 55% of respondents use a tablet for work, and 49% logged in 10 or more times a day from a mobile device. Discounting email and calendar apps, 59% have three or more apps on their mobile device that are considered core to their job, while 25% have five or more apps that are core to their job. That’s a lot of passwords and a lot of sign ins.
As Big as the Internet
Enterprises need to be concerned with the security vulnerability from bad password practices. “Companies are saying, ‘We have too many applications that require passwords, we can’t control the mobile devices that are being brought to work,’” Oberg said. “Every application ever written assumes it requires a password, and that just doesn’t work Internet scale.”
Ping’s solution is a token system that represents identification. But as Kreizman pointed out, "Solutions are not 'one size fits all,' and solutions that provide SSO to all target systems may be deemed too expensive. Therefore, a best practice is to identify the tactical and strategic approaches that reduce enough of the problem space over time and within budget."
In order to assess the enterprise needs, Kreizman suggests the following:
- The first step is to scope the problem space by identifying the user population and use cases that require a solution, and to inventory the target systems, their architectures and the anticipated lifetimes.
- User population: Identify whether a solution set should cover employees, contractors, external business partners or consumers/constituents.
- Use cases and applications: Identify the logical location of users and the target systems that must be accessed — for example, internal users accessing internally managed applications and software as a service (SaaS) applications, or external consumers and business partners accessing internally managed applications. Identify the applications and use cases that are currently used the most and generating the most calls to the help desk for authentication-related issues.
- Applications and their architectures: Determine the application architecture for each application deemed to be in scope for an SSO initiative.