PDF

swipe to navigate

Strengths and weaknesses

Each of the three technologies has its own strengths and weaknesses:

Solution Strengths Weaknesses
Password synchronization
  • Reduces both password problem frequency and help desk call volume.
  • Easily deployed -- no client software, limited server-side agents.
  • Compatible with different types of end point devices (Windows PCs, Macs, Android, iOS, etc.).
  • Can improve the quality of all passwords.
  • Users still have to sign into each system separately.
  • All passwords are the same -- a compromise of any one leads to a compromise of all.
  • Some systems may have to be left out of scope, because of limited support for strong passwords or insecure password storage or transmission.
Self-service password reset (SSPR)
  • No matter what solution is deployed, users will eventually have login problems. Self-service helps address this.
  • Easily deployed -- while client software is commonly used, it is not particularly invasive and users can still work without it.
  • Some types of problems, such as when users forget their primary password while off-site, cannot be resolved by the help desk but can be addressed using SSPR.
  • Ensures strong, secure authentication prior to changing passwords.
  • Does not by itself address the frequency of password problems -- only diverts resolution away from the help desk.
  • Requires user cooperation to be effective.
Enterprise single sign-on (E-SSO)
  • Eliminates repetitive sign-ons by users.
  • Typically maintains different passwords on every system. Compromise of one application password does not lead to compromise of another.
  • Does not require deployment of software on target systems.
  • Suitable even when target systems store or transmit passwords insecurely, since this does not compromise the security of other applications.
  • Smart cards are a reasonable alternative for primary PC login, to be used instead of passwords.
  • Costly and risky deployment of quite invasive client software to user PCs.
  • Locks users into their PCs -- they cannot sign into their applications from a Mac or their smart phone or tablet, as there is usually no equivalent E-SSO software on these clients, able to retrieve and inject application passwords.
  • Single point of failure: if the E-SSO system is down, users can't sign into anything.
  • Compromise of a user's primary PC login password compromises all application passwords.
  • If a user forgets their primary password, then none of their application passwords can be decrypted. This calls for a complex and risky password recovery scheme.

PDF

Comment via LinkedIn