The biggest misconceptions about single sign-on (SSO)

Single sign-on: log in once, all systems accessed. No need to enter credentials again. Only one password to remember. This is extremely beneficial in reducing helpdesk calls since users only have to remember one password instead of many, and probably even more secure, because passwords are not written down and pasted to computers.

But many IT managers and security officers remain sceptical about the implementation of an SSO solution. Their scepticism is obvious, the result of a number of preconceived misconceptions about these identity and access management tools. Why? Well, what follows are many of the most incorrect commonly held beliefs about SSO.

Misconception #1: Implementing SSO imposes greater pressure on security

One password is easier to hack than many. Mark Zuckerberg, Facebook’s famous founder is an example of this. His recent headline-making revealed password of 'dadada' was used across several platforms to access accounts like LinkedIn and Twitter. Would he have been better off with more than one password for these multiple accounts? Perhaps, yes, but a stronger password likely would have helped him avoid the embarrassment of getting hacked. One password can be better, though, when users must access countless systems.

IT managers and security officers often believe that with one-time logging in to accounts security of information is immediately placed at risk. They assume that if an unauthorised person gets hold of that single log-in credential, that person will have access to all the account’s associated applications. However, when using SSO, all the various access entries to applications are replaced by one access point.

Simple enough, to be sure. For example, the software allows users to use just one password for multiple accounts. Once the password is entered, all accounts are accessed. Though this does appear to constitute a risk – as is evident in the Zuckerberg example mentioned above – an SSO-empowered log-in process is actually streamlined for the user. Here’s why that’s important: having to remember just one password essentially does away with the risk that the user will scribble passwords on a piece of paper and place them under their keyboard (as is often the case) like they might if they have to remember 12 password and username combinations (the average number per user) that most users have without SSO.

It is also possible to add extra security to the primary SSO log-in with a user card and PIN code or an extra-strong password. Logging in with a card and PIN code is an extremely secure authentication, and users also consider it to be very user-friendly.

Misconception #2: SSO implementations are long, drawn-out projects

This misconception often wrongly assumes that because SSO implementation is part of a much bigger security policy, other components might need to be introduced along with more complicated passwords, taking more care with authorisations and complying with standards imposed by the government. Because SSO affects almost all end users throughout the organisation, many whom are poised to take on the 'challenge', see implementation as costing a great deal of time, especially in preparing users for the change.

Therefore SSO implementations bring a host of questions, such as:

  • How do I deal with people who have multiple log-ins on one application?
  • What do I do if an application offered through SSO gets a new version?
  • What happens if the application itself asks for a password to be reset?

Unfortunately, these types of questions mean SSO implementation often are shifted to the background. However, any potential complexity faced at implementation is no reason to postpone adding a SSO solution because it has long-lasting benefits once up and running. By starting small, say by making the top five applications available through SSO, a considerable time saving on the number of log-in actions can be achieved, justifying buying the solution. It was even possible for them to roll into production exactly what they did during their trial phase, which made their implementation process extremely convenient.

Misconception #3: SSO is not possible in the cloud

SSO is not available in the cloud. This is just not true, even if the devices used to access an organisation’s systems is not supported by the organisation. There is no reason users can’t gain access from anywhere from any device when connected through an SSO solution.

Misconception #4: SSO implementations are expensive

This is simply false because SSO solutions do not need to set up for everyone within the organisation, meaning organisations can scale according to their needs and financial limitations. Thus, SSO solutions only need to be offered to a select group of people who need to access many different applications and not everyone in the company. Organisational leaders then can restrict access to the solution to the most critical departments or employees within your company. If more licences are needed, they can be rolled out easily or in small batches as required. Likewise, they can be removed to save you additional money. Doing so offers an excellent springboard for any further growth and expansion in accordance with changing future needs.

Misconception #5: SSO solution needless because of extremely complex passwords

Insisting on extremely complex passwords is one way to secure the network, but at the same time, it’s also one of the causes of insecure situations. This is because many end users have difficulty remembering their mandated passwords, certainly when they have to recall more than a dozen username and password combinations. Often, requiring the use of complex passwords leads to frequent help desk calls because employees tend to forget them more readily. A highly insecure and undesirable situation arises when end users write their passwords on notes and leave them lying around their computer.

All of these fallacies mean something simple: using SSO for employees means they only have to remember one password for all of their applications, meaning a simple solution to a complex problem, easier access to multiple accounts for all who need access to them, and fewer calls to the helpdesk, ensuring IT staff are able to focus on more important priorities than password resets. And that’s no misconception.

Robert Doswell is managing director of Tools4ever UK