Single Sign-On (SSO)
Single sign-on (SSO) is a user authentication service that permits an end user to enter one set of login credentials (such as a name and password) and be able to access multiple applications.
SSO is heavily utilized in enterprises due to its ability to simplify the user experience. Instead of employees having to remember multiple passwords for the various systems they login to and services they use, they can get into everything they need with a single password.
Other SSO benefits include productivity gains from users having to enter less passwords and reducing the time Help Desk employees spend dealing with password resets and helping users who get locked out of their accounts.
What is the key security problem with SSO?
SSO and the use of a single password does present serious security vulnerabilities and other issues. Having separate passwords for various services limits the amount of data that can be breached if a password is stolen. In an SSO configuration, when a single password is compromised, it then allows a hacker to gain access to every system that the compromised user credentials are authorized to access.
How Vouch Improves SSO
Vouch improves upon the user login simplicity offered by SSO by incorporating a user’s biometrics as a security factor, instead of passwords, so there is nothing that the user has to remember, they simply supply a FaceID or TouchID to login.
Importantly, a user’s biometrics can’t be stolen, meaning that the actual security factor itself (biometrics) is more secure than your average password.
Using the Vouch app is simple:
- User goes to the site that they want to log in to.
- A message is sent to the user’s phone requesting the user to supply a biometric.
- The user supplies the biometric and is logged in.
- Native mobile apps
- Mobile and PC web sites
- Any web service such as Salesforce, Github, Confluence, JIRA, Slack, etc.
- Email clients
- Amazon Web Service command line actions
- Operating systems
- Completely eliminate passwords – Passwords are a security weakness, a terrible user experience and costly for the enterprise to support (see Cost of Password Resets).
- Simplify the user experience – make logins as simple as picking up your mobile phone, using biometrics and other security factors instead of passwords (See Vouch Modernizes MFA).
- Remove the source of breached password databases – by replacing centralized password storage with decentralized blockchain storage of user credentials (see Vouch System Overview).
- Protect User Credentials – by not storing any Personally Identifiable Information (PII), and by enabling the assertion of users’ credentials through Biometrics that reduce user friction and are more secure than passwords.
How does Authentication work without SSO?
Without single sign-on, every website or system maintains its own database of users and their credentials. This is the user experience when a user wants to login:
- The website first checks to see whether you’ve already been authenticated. If you have, it gives you access to the site.
- If you haven’t, the website asks you to log in and it checks your username and password against the information in its user database.
- After login, the site passes authentication verification data as you move through the site to verify that you are authenticated each time you go to a new page.
The authentication verification data is usually passed as either cookies with session data or as tokens, which don’t track the session and are faster to process.
What makes a true SSO system?
It’s important to understand the difference between single sign-on, and password vaulting, which is sometimes referred to as SSO. With password vaulting, you may have the same username and password, but you have to enter it each time you move to a different application or website.
With SSO, after you’re logged in via the SSO solution, you can access all company-approved applications and websites without having to log in again. That includes cloud and on-prem applications which are often available through an SSO portal (also called a login portal). SSO uses a concept called federation to provide federated SSO.
What is federated SSO?
SSO solutions that use federation enable true single sign-on by taking advantage of the organization’s identity provider (IP), such as such as Forgerock™, Idaptive™, Okta®, Ping Identity® or Microsoft® ADFS or Azure™. The identity provider usually acts as the authentication server and stores the user’s identity and information, such as the username, password, domains the user has access to, and even which activities the user is allowed to do on each site or within each app. (Verifying the activities that the user is allowed to do is called authorization. For example, a user may have access to Salesforce reports but may not be permitted to edit customer records.)
For true SSO, either the SSO solution is built into the identity provider or the SSO solution uses one or more identity providers to authenticate the user.
Authentication requests and information are passed using standard, secure protocols, such as SAML or OAuth. The websites requesting authentication have a trust relationship with the SSO solution, and trust relationships exist between the SSO solution and the identity providers. A trust relationship means that one domain trusts another’s information about user identities, devices, and access privileges.
Integrating Vouch to Your Environment
Vouch is easily integrated to Single Sign-on System, Enterprise Identity Provider (IDP) and Identity Access Management (IAM) solutions from suppliers such as Forgerock™, Idaptive™, Okta®, Ping Identity® or Microsoft® ADFS or Azure™ using SAML and Open ID Connect.
The Vouch SSO Authentication Difference
Vouch improves on Single Sign On (SSO) approaches to provide highest security and greatest protection against credential compromise, as well as the best user experience:
- Using Innovative security factors such as Biometrics and Device ID instead of passwords
- Removing passwords completely, simplifying the user experience and making your users and help desk more productive
- Easily integrating to your Identity Provider (IDP) or Identity Access Management (IAM) with simple configuration using standard protocols including Security Assertion Markup Language (SAML) and Open ID Connect (OIDC)
- With a SaaS product offering that lowers cost, is simple to scale and integrate and includes all updates that are available immediately versus on premise solutions models which require forced purchase of an upgrade package and expenses for specialized services to get the environment upgraded
- Using a decentralized blockchain technology instead of a centralized certificate authority approach to eliminate centralized password-based security breaches
- With support for API-driven uses cases – which expose the full power of Vouch’s blockchain Identity to your organization and development team to enable innovative security and product experiences