Multi-Factor Authentication and Single Sign-On Explained
The simple combination of a user ID and password is no longer good enough to protect our most vulnerable information. Identity theft, data breaches, malware, and malicious actors mean that digital security must evolve to stay one step ahead of security threats. Strong, reliable security in a modern government, non-profit, SMB, or enterprise environment isn’t just important today; it's mandatory. The best security must take into account the needs of the organization and the employee, balancing protection, encryption, and ease-of-use. With most security officers having a choice between two primary security solutions—single sign-on (SSO) or multi-factor authentication (MFA)—deciding what’s best for your organization requires careful consideration of the pros and cons of each approach. Of course, the two are not mutually exclusive; you can have both. However, given the economy that envelops most IT organizations, knowledge of how to allocate time and budget to one project over another can make all the difference.
What is Multi-Factor Authentication?
MFA uses several different factors to verify a person’s identity and grant access to various software, systems, and data. Typically, MFA systems use two or more of the following tools to authenticate individuals:- What you know: a password, personal identification number, or recovery questions
- What you have: a smartcard, FIDO token, one-time password (OTP), Bluetooth device, Apple Watch, or some other authenticator
- Who you are: a biometric authenticator, such as a fingerprint or face recognition
- What you do and where you’re at: location-based authentication using GPS, IP address, or Integrated Windows Authentication (IWA) and how you type (keystroke biometrics)
What is Single Sign-On?
The concept behind single sign-on is very straightforward—users carry out a master sign-on to authenticate themselves at the beginning of their work period. Then, whenever they need to log into another piece of software, the SSO solution logs in on their behalf. The SSO solution internally stores the various credentials for every piece of software users need to access and then validates the users with those systems when they need to be accessed. The advantages of single sign-on include:- Users only have to remember one password at all times. Although they may be required to enter credentials for other systems occasionally, there’s significantly less effort needed.
- Extra security, such as biometric authentication, can be added to the initial single sign-on or accessed via a USB token, soft token or similar encryption device. MFA comes into play here.
- SSO is quick and convenient for the end-user. It saves time by not requiring them to spend time logging into many different applications.
- Risks for access are reduced in some instances. For example, credentials for third-party applications could be stored internally rather than on external systems.
- There are fewer calls to the service desk for password resets, reducing IT support resource needs.
- If a hacker, malicious actor, or malware gets SSO access, that compromises any systems used by SSO.
- SSO must be deployed with strong encryption and authentication methods to prevent this from happening.
- Loss of availability of SSO systems means a user will not be able to access any other systems, becoming a single point of failure.
The Best of Both Worlds—Combining SSO and MFA
MFA and SSO are both coming at the issue of security and authentication from different areas. SSO is more convenient for users but has higher inherent security risks. MFA is more secure but less convenient. What are the two areas that can be combined to provide a solution that is both convenient and secure? That’s the way the security and encryption industry is moving. Again, it’s about the evolution of security. Some of the new approaches being tested and used include:- Requiring secure MFA sign-on at the start of the day, similar to an SSO solution.
- Granting continued access to authenticated users throughout their workday.
- Access to the most sensitive systems.
- Changes in user behavior as detected by software.
- Using criteria such as location, role, seniority, and the like to determine when new authentication is needed.
- Using algorithms to request additional credentials in certain use cases smartly.