Single sign on and enhanced security

RoyalTechRoyalTech Member Posts: 94 ■■□□□□□□□□
In Darril's book, he states that SSO enhances security because it allows users to only have to remember a single set of credentials and, therefore, not write down a bunch of them on post-its. By looking at it in a different way however, I could see that it would do the exact opposite and decrease security. Using SSO would enable an attacker to have to crack only one set of credentials in order to obtain access to the entire network.

My question is why is this wrong(as I assume I am). I don't think this will be on the test, I was just wondering about it.

Comments

  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    You're right. SSO could very well decrease security. One ring to rule them all. That's definitely a security issue, and a good point you made.

    There's bound to be measures to help negate that downfall. The one that I would say is that a stronger password would be used. A passphrase made up of Numbers, Letters (Lower and Upper-case), and special characters would increase the security a lot. C^N - Right?

    I think that's where SSO is best used - It allows an end-user to remember 1 very strong "What you know" passphrase to access the system. Not to mention mixing in PIV/CACs and biometrics for multilayer authentication to get that SSO Authentication.

    As an example in my current company I have to remember 6 different sets of passwords - not including the 3 windows passwords. I setup the passwords that I could set (3) as 1 password. Less to remember. But in doing so I make sure that the password is strong.

    The other three passwords. Meh. I forget and have to crack my way into my own account because it's a company-it-wide logins.

    I can just image how hard it is for an end-user that has to remember client login methods, as well as our own logins. I try to teach end-users to change their passwords as one joint password by changing them all at once. Some do listen, others require weekly password changes.

    All of what I said is what I've read from Darril's book. I know I'm scratching the surface at the Security Topics. If anyone else has ideas, comments - chime in. School us :)
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Also - from a best practice perspective - if SSO is being implemented, the use of MFA or multifactor authentication is encouraged. For example, the use of tokens with one time passwords and pins can greatly enhance security.
  • RoyalTechRoyalTech Member Posts: 94 ■■□□□□□□□□
    Roguetadhg - Well, it's good to know that I'm thinking correctly. I just assume that I'm wrong when I disagree with Darril's book because he has earned a great deal of my respect in my time on this board

    Paul78 - This was mentioned in the previous post.

    As a response to both, I would assume that the passwords would have to be very strong at the least and preferably have some form of multifactor authentication implemented when using SSO. It just seems too easy to get access to the entire network this way for someone who knows what they are doing AKA not me. This is not to say that I don't understand where Darril is coming from on this.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    SSO will increase security if used with a well implemented dual/multi-factor authentication scheme as it reduces the volume of separate credentials to be attacked. Without SSO, if one set of credentials or authentication mechanism is compromised, it takes longer to find out. It is also more difficult to manage the security of multiple credential systems, and each new system increases the attack surface area.

    On the other hand, having multiple systems integrated to provide SSO can also increase attack surface area, since each new system may integrate with the master system in a different manner. If any one of those integration mechanisms is insecure, it then provides an attack vector for all systems.

    Overall, SSO is usually preferable, in my opinion. As long as the management of what systems get integrated with the primary authentication system is tightly controlled, SSO security and management improvements far outweigh the increase risks, in my opinion.

    In terms of passing the exam, consider DG and the book next to infallible. CompTIA's questions will have ambiguous and disputable answers. Go with the answer they're looking for, regardless of how problematic it may be.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Because generally speaking the number one threat to an asset is the user, not an external entity. It is extremely possible your user in this scenario does something unsafe like writes down all of his/her passwords on a sticky note and slides them under a keyboard, or puts that sticky note in plain site.
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    The vague questions is what bothers me. I remember reading into the question too much destroyed a friend when he did his A+. Years ago, that is. Cisco, on the other hand requires you to read into the question and pick it apart piece by piece. Most of the time :)

    There may be two or more correct answers. Find the "Best" correct answer is what I was told to do with CompTIA tests. I wonder if Linux+ is the same way?

    @YFZBlu: That's the thing, SSO should decrease the numbers of persons writing their passwords on a slip of paper - not on a sticky note under the keyboard. But along the side of their cubicle wall, because hiding the password under the keyboard is "too difficult" as one supervisor stated. Some even have their entire password history written down in plain sight.

    *rants...*

    :P
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • RoyalTechRoyalTech Member Posts: 94 ■■□□□□□□□□
    Ptilsen - I follow Darril's book and don't question it. This was just a question I had that didn't really apply to how I would approach the exam. When it comes to the exam, I would follow Darril's book regardless of what I thought.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    @YFZblu - very true. And exactly why phishing continues to a successful attackvector.

    @Roguetaghd - wow. I am surprised to hear that. Where I work that sort of behavior is grounds for termination.

    @RoyalTech - yes you are right, strong password policies help. But strong passwords should always be used regardless of existence of SSO. SSO is commonly associated with use of SAML in applications but LDAP like used in Windows for domain access is a form of SSO. From an access control viewpoint, authentication is just part of the equation, once authenticated, the computing resource still should support authorization of functionality.

    Caveat - my comments are not intended to represent the body of knowledge used by CompTIA in Security+, CompTIA may view these topic differently.
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    Politics, paul.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • Danielh22185Danielh22185 Member Posts: 1,195 ■■■■□□□□□□
    SSO like as stated before does wonders in implemented intelligently. This makes me think back to my old job where I had access to what seemed like 50 different applications. A very large part of my job role was resetting passwords for various different accounts. There is no way I am going to remember 50 different passwords. I tried to keep them all similar to help me remember but there came a time where I needed to be able to fall back on something so that I too would not become locked out when trying to assist a customer. I ended up creating an encrypted excel document that had the application names and my user credentials. I know it’s not a safe thing to do but I tried to make it as secure as possible. However if my user ID to the domain were to ever become compromised that intruder would be able to use my ID to also access my excel doc with my other passwords. So that is a good example of where traditional methods are equally unsecure.

    Another thing to think about too with SSO is how it has a large potential to save a company a lot of money. You could implement many self-reset / automated systems that would be available to customers and drastically cut down on the administrative needs for user accounts. There is always risk. You can never completely eliminate risk which I'm sure you have read and know from Darril's book.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
Sign In or Register to comment.