Passwords the Achilles Heel of SSO

Single Sign On (SSO) has become an obvious solution to the challenges users face with passwords. According to a recent Microsoft study, participants averaged around twenty five (25) accounts using about 6 passwords among the accounts. The gifted few that can remember a different password for twenty five (25) online accounts have gained my endearing respect. For most of us, however, remembering passwords is not practical. We document passwords in our little black books (phones these days), figure out some obvious pattern for our passwords or reset passwords when we need to gain access to accounts. All these techniques lead to less secure access, not more secure accounts. SSO solves the recall problem in exchange for others.

With SSO, there is a single password to remember and single point of failure. Once someone or something else obtains the SSO account information, all the participating accounts are compromised. To be fair, however, SSO is convenient if you want to pass all your account access to another person while you are on vacation and can’t monitor online activities.

Fundamentally, we all agree the password is no longer practical. First and foremost, the password gives no indication of who is getting account access. Protecting multiple password protected accounts with another password is the subject of a mind bending paper I have planned for the future. It seems that after fifty years of passwords and growth in cybercrime, something better than a password should be used to protect passwords.

What we really want to do is identify the subject logging in. The basic ingredients of identification are obvious.

Most of us have some sort of government issued photo identification; a driver’s license is something I have. Thankfully, when I’m pulled over, law enforcement can check to see if the information on the license matches the issuer’s data. The token, widely used in two factor authentication, models this behavior with the added twist of having the number change periodically and frequently. Unfortunately, the token can’t look into my eyes and compare the picture sent back to the Officer from station. Perhaps even worse, information from tokens can be easily communicated at the time of login, the token can be loaned and the passcode can be intercepted.

Another ingredient is the knowledge based question; something only I should know. What street address is familiar to me? A pretty good question except that anyone that has a browser and few dollars can get all my previous addresses, phones, etc. Most importantly having the answer to this information proves that at least two entities have the information and therefore does not identify who gaining account access. Unfortunately, most knowledge based questions are not real time.

Finally, biometrics offers a way to determine who is logging in. SSO can benefit from uniquely identifying the user at every login. Now the question: is it live or Memorex (a recording). To determine if it’s live there must be unique real time information collected at login. When using voice, the user must say something they have never said before and the authenticating system must ensure that the subject spoke the required words.

SSO can be significant step towards alleviating the pain of passwords if it avoids being a single point of failure. Conclusively identifying the subject at every login not only ensures no one else can gain access to the account, but also prevents insiders from passing credentials and denying involvement.

Sovay multifactor-multichannel authentication employs biometrics to make sure it’s the subject speaking. Speech recognition is employed to make sure the subject speaks the correct response including a knowledge answer and a random phrase unique to each login attempt. And to make sure only the subject knows what to say, SMS is used so hackers can’t get access to the prompt. All this is captured in a few seconds using commodity webcams and microphones.

Contact Veritrix to learn more about our enterprise class secure authentication and find out who is logging in.

Leave A Comment

Your email address will not be published. Required fields are marked *