Have you ever read something and thought, “What did I just read?” For example, “What is the cost and loss of NOT using Two Factor Authentication with Single-sign on?” I wrote that sentence, and it is still a mouthful. Let’s try and break it down before building it up again to see if it can be understood by everyone.
Our story starts with a single user, Shirley with the short haircut. Shirley arrives for her first day of work, and within an hour of being there has her first set of credentials: A brand new shiny account name and password. She has been given very specific instructions to change this temporary password to one of her own choosing. However, she may not write the new password down for fear that an intruder would use it to their malicious advantage.
The first week goes by, and Shirley has done a terrific job remembering her password, without writing it down. Life is good. At the start of week two, Shirley is put on her first assignment and is given additional credentials to the web based project management tool, again with the same stern reminder to not write her password down. She manages to get through the 2nd week and has no trouble maintaining the two sets of credentials in her head.
Shirley’s third week at her new position doesn’t start as well since it happens to start after a three day holiday weekend. It doesn’t take long into that third Tuesday for her to realize that not only she can’t remember which password is for her client machine and which one is for the project web site, but also she can’t remember where the special symbols go and which letters are supposed to be upper case.
Her cube mate, Sherry with the shiny shoes, hears her muffled cries of anguish and asks what’s wrong. Sherry reassures her that this happens to many people, and it can be resolved with help from the nice people at the IT Helpdesk . . . this is a good spot in our tale to refer back to the loss and cost comment. The loss here is Shirley’s lack of productivity this morning because she forgot her passwords. The cost is the dollar value that can be placed on the time that Shaun, the sharp IT guy, will need to help our gal; time that could have been spent on a project or more profitable tasks.
Shirley gets sorted out and continues to do well at her position. So well in fact that before she knows it, she has half a dozen accounts and passwords for the tools she uses. Every once in a while, the passwords get out of her control and she again needs outside assistance to get back to being productive. Now, I’m not just picking on Shirley here. It is a common occurrence across the board for people to forget one or more passwords – usually on Mondays which exponentially increases the cost for resetting passwords and the loss of productivity.
The above access control conundrum is exactly why single sign-on (SSO) was invented. With Single Sign-on, users are still required to authenticate themselves before gaining access to protected resources, but they only need to provide the credentials once. Having to remember only one password is much more manageable than half a dozen or more. Employees login to their main account while access to the other resources is controlled under the covers by security tokens that travel between the end-users machine and the protected web sites.
Even though SSO solves the bloated passwords problem very well, it opens a new vulnerability. What if someone were to guess Shirley, Sherry, or even Shaun’s password? Access to all their protected valuables would be compromised. Adding a second factor in addition to the password would resolve that vulnerability. Two-factor Authentication (2FA) requires authenticating with something you know (password) and something you physically have (cell phone, security token, etc.). Determining your password is not enough anymore to grant access to your account. Possession of something physical like your phone is a must. Learn more about 2FA.
Does this example/description help clear the mud around the original tricky sentence? For even more help, try these links:
In case you were wondering, yes, that is Shaun the IT guy with his “cheeky” dog. Sadly, the puppy doesn’t have a name yet, and we would love a suggestion from you. Please help us name the little girl by leaving a good name for her with your comments.