Product Details
Product Rating
ActivCard Single Sign-On
Aladdin eToken SSO
Citrix MetaFrame Password Manager
eTrust Single Sign On
Evidian Secure Access Manager
HP Open View Select Access
Imprivata OneSign
P-Synch
Passlogix v-GO SSO
WebConnect SSO
The slightly unusual approach taken by Imprivata OneSign offers both innovation and robustness via its mirrored hardware-based design, and is our first Recommended product. It is both well-conceived and well-implemented. Our second Recommended product is Evidian Secure Access Manager. As part of a modular suite of well-considered solutions, it offers a combination of comprehensive functionality and ease of use that will appeal to many. It also promises scalability, in its own right and by virtue of associated products available from the same source. Our Best Buy is the ActivCard SSO, which is particularly versatile, with good directory integration, the provision for multi-factor authentication via token support, custom scripting if you wish to use it, and many other facilities. It is also well-presented, intuitive and capable of meeting most requirements in this field.
Single sign-on (2005)
Security means passwords, and passwords mean a growing productivity burden for users and employers. Single sign-on could be the answer, says Julian Ashbourn
Password hell: isn't it ironic that something designed to help us drives us all crazy and makes life miserable? Furthermore, if we believe the propaganda from single sign-on technology suppliers, it costs us millions of dollars in help desk calls every time we blink.
While the help-desk argument might be a little over-cooked, there is no doubt that passwords and their effective management have become a real problem in the world of corporate computing. Not only do users have to remember multiple passwords, but over-zealous security administrators seem intent on making things as difficult as possible, with frequent password changes and impossibly tangled rules and policies.
Does this make the corporate desktop any more secure? A very good question. Making life difficult for users doesn't necessarily equate to good security. Certainly not if they have to carry around scraps of paper to help them remember all their passwords and associated policies. How on earth have we come to this ridiculous position?
Still, we do have to protect access to certain categories of applications and it wouldn't be ideal to use the same, simplistic password for all of them, even if this would be easier to remember.
A possible solution is to adopt a single sign-on policy, whereby the user only has to remember one password in order to gain access to all their password-protected applications. They log on once, and the single sign-on software provides the necessary credentials, however complicated the requirement may be, to the various applications.
Ah, you say. The implication is that when someone discovers another user's single sign-on password they can then access all of that user's secure applications automatically, so we are surely back to square one from a security perspective. A good point, but we still have the benefit of robust passwords travelling across the network, as well as all the various management policies we can bring to bear.
Furthermore, we can always implement a chip card or biometric verification at the front end for greater personalization. Ah, you say again. That means that the user never actually sees or knows the passwords being used and, if the single sign-on breaks, they are really up the creek.
This is another good point, although with robust and well-designed administration tools, the security administrator should be able to restore order should such an unusual event occur.
Yes, folks, single sign-on is not the perfect solution. It is a compromise. Furthermore, it could all get very messy if implemented poorly. However, for many situations, it represents a far better compromise than password hell. Most users will be able to remember a single password without writing it down in multiple places – a distinct step forwards from a security perspective.
Users will not have to waste time looking up passwords or trying to remember some daft password refresh policy – a distinct step forwards from a productivity perspective. Lastly, users will not have to sheepishly call the help desk when their multiple passwords have temporarily escaped from the little grey cells – a distinct step forwards from the support cost perspective.
All in all, there are some very strong arguments in favor of the single sign-on approach, especially for situations where access control to sensitive operational systems is involved.
In this product group test, we take a look at some of the representative products on offer and discover what features are available and how easy they are to work with.
While the fundamental concept is common to all these products, there are variations of approach that make things interesting. These days, many single sign-on products are software-based, but there are also some hardware-based solutions that may be attractive, depending on your particular situation and architecture.
You may or may not wish such a product to integrate with existing directories and policies. If, for example, you wish to introduce biometric identity verification into the broader network access scenario, you may take the chance to integrate single sign-on functionality as well, providing users with a simple access method, while maintaining high levels of security.
From this, it seems clear that the ability to integrate with both your existing applications and services is among the most important factors in selecting an SSO solution, along with whatever future authentication strategy you develop.
Consolidating passwords now will yield cost benefits in the short term, but should not cramp your style when considering more advanced solutions for identity management, two-factor authentication, federated identity, and so on. If you will have difficulty scaling up in the future, that should be a consideration, though not necessarily a deal-breaker: immediate cost savings, efficiency gains and helpdesk relief might well tip the scales anyway.
Whatever your position, if you are tired of password hell and are ready to do something about it, then read on and get a flavor of what is available to help you.
