Forrester's Maler notes that one of the big advantages of single sign-on is that it eliminates the need to have multiple systems storing multiple passwords. Ponemon concurs, citing a recent SSO deployment at a healthcare provider where practitioners were complaining about how they had to type in their password every time they moved to a different system. "The SSO system created both efficiency and greater security, because it had built-in safety checks to avoid giving access to the wrong person."
Single Sign-on for the Enterprise
Several enterprise password management tools offer dual-factor authentication along with single sign-on and other security capabilities, such as compliance features. Options include the following:
• ManageEngine's Password Manager Pro
• Thycotic Software's Secret Server
• Splash Data's SplashID Enterprise Safe
• Lieberman Software's Enterprise Random Password Manager
While acknowledging that neither SSO nor LDAP is perfect, Paul Capizzi, who recently left his post as vice president of IT at New York-based insurance firm SBLI USA, says they're better than the alternative. Capizzi says SBLI users generally manage up to a dozen passwords, and if they regularly call the help desk for password resets, that's a waste of time for everyone.
For that reason, most of SBLI's recent upgrades included adding LDAP and single sign-on support. "We'll never turn down the opportunity to use LDAP," he says. "We're always looking for ways to leverage that, because it increases users' performance."
One LDAP drawback: Many legacy systems can't support Active Directory, which means a separate password is still necessary for those systems.
"We still have a mixture of Windows-based applications and custom applications that were never designed to acknowledge the existence of AD," says a retail industry IT executive who asked that his name not be used. "Getting them to talk to each other is an investment of time and money, and it's not always our highest priority."
Feldman, meanwhile, points out that SSO has drawbacks of its own. "If your password gets compromised in one place, it's compromised everywhere," he says.
If an SSO system is breached by a phishing expedition, the hackers can then go to the website and try passwords to get to other parts of the system, he explains. Or they can start probing for an IP stack or a GRE (generic routing encapsulation). Instead of SSO, Feldman uses digital security certificates to limit the city's vulnerability.
Overall, SSO makes users' lives simpler and LDAP makes security administration easier. They're not perfect, sources agree, but together, they do provide some interim value.