This document compares two product categories that address the same business problem: password complexity. The two types of products are:
This document is organized as follows:
The business problems caused by password complexity are described, and two alternate solutions to address these problems are explained.
The strengths and weaknesses of three technologies designed to address password complexity are reviewed.
Identifies the major tasks that must be accomplished in order to deploy each of the three technologies.
Business drivers for deploying a combination of solutions are laid out.
Password reset and enterprise single sign-on technologies can interfere with one another. Similarly, password synchronization and enterprise single sign-on technologies can conflict. Integrating the technologies is essential to eliminating these conflicts.
Hitachi ID Password Manager supports both lightweight and full integration with enterprise single sign-on systems.
Passwords present a number of problems for organizations:
Users respond to these problems by
Users often forget their passwords or mistype them, creating high IT support call volumes at the help desk -- this is both inconvenient for users and costly for the organization.
The impacts of poor password management are:
A popular approach to tackle password problems is to synchronize different passwords, so a user only has to remember one, and empower users to reset forgotten passwords or clear intruder lockouts on their own, without calling the help desk.
Password Manager offers these capabilities.
Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems.
Password synchronization is an effective mechanism for addressing password management problems in medium to large organizations:
There are two ways to implement password synchronization:
Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk.
Users who have forgotten their password or triggered an intruder lockout may launch a self-service application using an extension to their PC login prompt, using their own or another user's web browser, using an app on their smart phone or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by entering a PIN sent to their phone, by answering a series of personal questions, using a hardware authentication token or by providing a biometric sample. Users then either select a new password or just clear a lockout on their account.
Self-service password reset expedites problem resolution for users and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks.
One of the core features of Password Manager from Hitachi ID Systems is self-service password reset.
Enterprise single sign-on (E-SSO) systems minimize the number of times that a user must type their ID and password to sign into applications.
Most enterprise single sign-on systems work as follows:
The password wallet is often encrypted, normally with a key derived from the user's primary password. Where users sign into their PC with a smart card, a private/public key pair is used to encrypt the wallet. Where other types of credentials, such as proximity badges or biometrics, are used to sign into the PC, wallet encryption is necessarily based on a retrievable password and the overall scheme is insecure.
E-SSO software acts as a surrogate for the user: storing, retrieving and "typing in" the user ID and password on behalf of the user. The user continues to have multiple ID/password pairs, but does not have to type them manually and may not know what they are.
When applications prompt users to change their passwords, E-SSO systems often choose a new, random password and store that in the password wallet. This results in a situation where users no longer know their own application passwords, so are totally reliant on the E-SSO system to sign into applications.