PaulDotCom mailing list archives
Re: Single Sign-On Compliancy
From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 24 Mar 2011 08:13:58 -0500
Alex Manchester <amanchester () gmail com> writes:
I have been tasked with researching potential Compliancy concerns regarding implementing a single sign-on solution. The majority of the information has been relatively positive such as providing centralized user and log management. Other than ensuring the security and minimum strength requirements of the master password, are there other concerns anybody else has faced with implementing or researching a SSO solution.
One issue I've seen in single sign ons in large organizations is that just about anyone can stand up an internal web server that looks to hook into the single sign on API and herds of users (who are used to providing that one magical credential) are happy to type it in just about anywhere. Without some sort of one time password integrated, this can make single sign on tantamount to an authentication monoculture with its attendant weaknesses. I have no silver bullet here other than foisting unpopular 2-factor auth on people (insert joke about RSA's current woes here), but it's a risk to be aware of at least. The benefits of SSO still generally outweigh warts like this. -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Single Sign-On Compliancy Alex Manchester (Mar 24)
- Re: Single Sign-On Compliancy Todd Haverkos (Mar 24)
- Re: Single Sign-On Compliancy Zate (Mar 25)
- Re: Single Sign-On Compliancy Dimitrios Kapsalis (Mar 25)
- Re: Single Sign-On Compliancy Zate (Mar 25)
- Re: Single Sign-On Compliancy Todd Haverkos (Mar 24)