- Reduces both password problem frequency and help desk call volume.
- Easily deployed -- no client software, limited server-side agents.
- Compatible with different types of end point devices (Windows PCs,
Macs, Android, iOS, etc.).
- Can improve the quality of all passwords.
- Users still have to sign into each system separately.
- All passwords are the same -- a compromise of any one leads
to a compromise of all.
- Some systems may have to be left out of scope, because of limited
support for strong passwords or insecure password storage or
Self-service password reset (SSPR)
- No matter what solution is deployed, users will eventually
have login problems. Self-service helps address this.
- Easily deployed -- while client software is commonly used, it is
not particularly invasive and users can still work without it.
- Some types of problems, such as when users forget their primary
password while off-site, cannot be resolved by the help desk but
can be addressed using SSPR.
- Ensures strong, secure authentication prior to changing passwords.
- Does not by itself address the frequency of password problems
-- only diverts resolution away from the help desk.
- Requires user cooperation to be effective.
Enterprise single sign-on (E-SSO)
- Eliminates repetitive sign-ons by users.
- Typically maintains different passwords on every system.
Compromise of one application password does not lead to compromise
- Does not require deployment of software on target systems.
- Suitable even when target systems store or transmit passwords
insecurely, since this does not compromise the security of
- Smart cards are a reasonable alternative for primary PC login,
to be used instead of passwords.
- Costly and risky deployment of quite invasive client software
to user PCs.
- Locks users into their PCs -- they cannot sign into their applications
from a Mac or their smart phone or tablet, as there is usually no
equivalent E-SSO software on these clients, able to retrieve and
inject application passwords.
- Single point of failure: if the E-SSO system is down, users
can't sign into anything.
- Compromise of a user's primary PC login password compromises all
- If a user forgets their primary password, then none of their
application passwords can be decrypted. This calls for a complex
and risky password recovery scheme.