Re: Single Sign-On Compliancy

[Todd Haverkos <infosec () haverkos com>]

Alex Manchester <amanchester () gmail com> writes:

> I have been tasked with researching potential Compliancy concerns regarding
> implementing a single sign-on solution.
> The majority of the information has been relatively positive such as
> providing centralized user and log management.
> Other than ensuring the security and minimum strength requirements of the
> master password, are there other concerns anybody else has faced with
> implementing or researching a SSO solution.

One issue I've seen in single sign ons in large organizations is that
just about anyone can stand up an internal web server that looks to
hook into the single sign on API and herds of users (who are used to
providing that one magical credential) are happy to type it in just
about anywhere.

Without some sort of one time password integrated, this can make
single sign on tantamount to an authentication monoculture with its
attendant weaknesses. 

I have no silver bullet here other than foisting unpopular 2-factor
auth on people (insert joke about RSA's current woes here), but it's a
risk to be aware of at least.  The benefits of SSO still generally
outweigh warts like this. 

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com