There’s a steady stream of headlines in the news of cyber attacks where thousands and in some cases millions of user’s sensitive data has been obtained by “hackers”. These stories have involved many different big household names such as Sony and Adobe and recently more big brands from the retail and banking sectors.
While the nature of the vulnerabilities exploited in each of these attacks is important to each organisation, the resulting compromise of the user data may leave many more individuals open to more basic threats.
Passwords are vulnerable
We all know that passwords are vulnerable to brute force attacks, social engineering and mass data compromise. To the average consumer user they are a burden, and with the increasing need to have many many on-line accounts the inevitability of user re-using the same password across multiple accounts is very apparent.
To counter this some on-line services and applications have begun to adopt the use of two factor authentication, Twitter, Facebook and Google (as well as many others) have introduced a variety of systems.
The use of 2FA in business is long established, but even here we are seeing the increased use of such technologies to try and improve the security surrounding the user-logon process.
The landscape is too complex
It is this very increase in adoption and its variety that is now introducing problems of its own.
2FA may be part of the answer but having too many disparate systems all trying to do the same thing is making it too complex for the end user to accept and the systems administrators to manage.
We’re back in the same situation with users trying to manage multiple accounts with multiple logins, it’s too hard. In this instance; users can’t just re-use the login as they might have done with passwords to try to mitigate the complexity, so instead they either don’t adopt the “safer option” of adding 2FA to their account options in the first place or constantly have to resort to the help desk function to re-set their credentials. The consequence of this behaviour is to negate much if not all of the advantages of 2FA in terms of security and indeed cost and efficiency.
There’s a need for a simple means of federation
How then do we simplify matters so that we get users to adopt 2FA by choice and therefore enable the business to provide much better and more cost effective security?
Part of the answer must be to provide a more federated system of identity management. Federated authentication means having one or more identity providers to which client applications or services refer to when it needs to authenticate a user. Think of it as a friend or big brother that everyone trusts who will always vouch for you.
Users and services need to trust the Identity Providers to hold and keep secure means by which to authenticate a user. A very common use of such technique is the use of Facebook or other social media platform to login to another service or application (Login with Facebook ID).
SAML – Security Assertion Mark-Up Language
From an Enterprise point of view, logging in with a Facebook or Google identity is not really a practical option for most people. However there are other ways in which to achieve the same efficiencies – a single extremely secure login for multiple distributed systems.
SAML is a key part of any Identity Management strategy. As an underlying enabling technology that allows a communications framework to be built between Identity and Service Providers.
Systems such as Shibboleth or Microsoft’s ADFS (an implementation of Shibboleth) can be used alongside of a Directory Service, AD etc. and used as standard Identity Providers enabling the federation or ‘extension’ of the corporate authentication system to many additional services (often cloud based) such as Office 365 or Google Apps.
When it comes to adding additional security, such as 2FA to this to completely remove the need for end user passwords, which is where we came in, we need to make sure that the token authentication management system can support SAML and be used a the default arbiter and fully integrate with the corporate directory service (AD); the Identity Provider or arbiter (ADFS) and the Service Provider (Office 365).
SafeNet’s Authentication Service is one such authentication solution. Available as a cloud based service or an on-premise implementation; SAS provides all the integration options to create a highly cost effective fully integrated federated single sign-on solution for any business.