This document compares two product categories that address the same business problem: password complexity. The two types of products are:
- password synchronization and reset, and
- enterprise single sign-on.
This document is organized as follows:
- Background: one problem, two solutions
The business problems caused by password complexity are described, and two alternate solutions to address these problems are explained.
- Strengths and weaknesses
The strengths and weaknesses of three technologies designed to address password complexity are reviewed.
Identifies the major tasks that must be accomplished in order to deploy each of the three technologies.
- Motivation for a combined solution
Business drivers for deploying a combination of solutions are laid out.
- Interoperability challenges and integration approaches
Password reset and enterprise single sign-on technologies can interfere with one another. Similarly, password synchronization and enterprise single sign-on technologies can conflict. Integrating the technologies is essential to eliminating these conflicts.
Hitachi ID Password Manager supports both lightweight and full integration with enterprise single sign-on systems.
Background: one problem, two solutions
Passwords present a number of problems for organizations:
- Users have too many passwords and have a hard time remembering them all.
- Password management is exacerbated when different passwords expire on different schedules, are changed via different user interfaces and are subject to different policies.
Users respond to these problems by
- Choosing trivial (and insecure) passwords.
- Avoiding password changes.
- Writing down their passwords, effectively reducing logical security to be equal to physical security.
Users often forget their passwords or mistype them, creating high IT support call volumes at the help desk -- this is both inconvenient for users and costly for the organization.
The impacts of poor password management are:
- User frustration.
- High IT support cost.
- Weak authentication.
Password synchronization and password reset
A popular approach to tackle password problems is to synchronize different passwords, so a user only has to remember one, and empower users to reset forgotten passwords or clear intruder lockouts on their own, without calling the help desk.
Password Manager offers these capabilities.
Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems.
Password synchronization is an effective mechanism for addressing password management problems in medium to large organizations:
- Users with fewer passwords tend to remember them.
- Simpler password management means fewer problems and fewer help desk calls.
- Users with fewer passwords are less likely to write them down.
There are two ways to implement password synchronization:
- Transparent password synchronization, where native password changes, that already take place on a common system (example: Active Directory) are automatically propagated through the password management system to other systems and applications.
- Web-based password synchronization, where users change all of their passwords at once, using a web application.
Self-service password reset and unlock
Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk.
Users who have forgotten their password or triggered an intruder lockout may launch a self-service application using an extension to their PC login prompt, using their own or another user's web browser, using an app on their smart phone or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by entering a PIN sent to their phone, by answering a series of personal questions, using a hardware authentication token or by providing a biometric sample. Users then either select a new password or just clear a lockout on their account.
Self-service password reset expedites problem resolution for users and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks.
One of the core features of Password Manager from Hitachi ID Systems is self-service password reset.
Enterprise single sign-on
Enterprise single sign-on (E-SSO) systems minimize the number of times that a user must type their ID and password to sign into applications.
Most enterprise single sign-on systems work as follows:
- E-SSO client software is installed on user PCs.
- Users sign into their PC using a password or other primary credential.
- A local or network file, database or directory is used to store application login IDs and passwords for each user. This is often referred to as a "password wallet."
- When a user launches an application, the E-SSO client software automatically fills in the ID and password fields in the login screen with credentials from the aforementioned "wallet."
The password wallet is often encrypted, normally with a key derived from the user's primary password. Where users sign into their PC with a smart card, a private/public key pair is used to encrypt the wallet. Where other types of credentials, such as proximity badges or biometrics, are used to sign into the PC, wallet encryption is necessarily based on a retrievable password and the overall scheme is insecure.
E-SSO software acts as a surrogate for the user: storing, retrieving and "typing in" the user ID and password on behalf of the user. The user continues to have multiple ID/password pairs, but does not have to type them manually and may not know what they are.
When applications prompt users to change their passwords, E-SSO systems often choose a new, random password and store that in the password wallet. This results in a situation where users no longer know their own application passwords, so are totally reliant on the E-SSO system to sign into applications.