ow many times have you left your computer without locking it down? Sure, some people have a screensaver that locks the computer automatically after some elapsed period; most people set it to 20 minutes or more because shorter durations are irritating. I’m sure most developers are conscientious about security, but many?perhaps most?end users never lock their computers at all, which means that anyone can walk up to their computer while they’re away, access everything they’ve logged into, and then restore the desktop state, all without the computer owner?or the network administrator?being any the wiser.
I’ll Just Write That Password Down…
Physical access to a computer has always been a security concern, particularly when the primary users of those computers have username/password access to sensitive applications. But what is fairly new is the idea that you can use a single sign-on, usually your primary network account login, to gain access to those sensitive applications. Single sign-on relieves the burden of having to remember multiple username/password combinations by associating a primary account with various other applications. By giving users single sign-on capability, you save them from remembering multiple logins and reduce the administrative burden of resetting passwords, forcing users to change passwords, and maintaining multiple authentication lists.
Those aren’t trivial concerns. An article from ZDNet UK last year estimated that “up to 80 percent of calls received by helpdesk staff are from end users who’ve forgotten their passwords?and with each support call costing organizations around £15, the problem is not as trivial as it may sound.”
Even if you don’t completely agree with the numbers or the cost estimate included in that article, every administrator knows that the costs of forgotten passwords are high.
Username/password combinations have always been a problem. Administrators have tried all types of tactics to make sure users create secure, hard-to-guess passwords. When they succeed, either by giving users strong passwords or enforcing strong password rules with code, users can’t remember the passwords. So they write them down, often keeping them taped to their monitors or in their desk drawers. Administrators who don’t enforce strong passwords find that users too often choose easy-to-guess (and easy to remember) passwords, such as “opensesame,” “letmein,” their names, their pet’s name, their spouse’s name, or other vulnerable information. Unless coerced, many will reuse the same username/password combinations on all applications.
Cost Savings and Simplicity
Single sign-on is supposed to limit such vulnerabilities by providing users with one strong username/password combination. Users log into a single access point, and subsequently the system relies on that single authentication as valid authentication for every other application the user can access. Asking users to remember only one password helps ensure that they will remember it, limiting the need for users to expose that password by writing it down. Single sign-on also promises to suddenly and dramatically reduce the administration costs of maintaining and resetting multiple passwords.
Eliminating such support costs amounts to a financial windfall for organizations, a big time-saver for administrators, and a huge convenience for users, but all that convenience comes at a cost. When you reduce authentication to a single point, a breach at that single point also compromises every application a user is authorized to access. In other words, when an employee, authenticated on the network, leaves the office to go to lunch, and neglects to lock down his or her computer, everyone with physical access to that computer immediately?and transparently?has access not only to the applications left open on the desktop, but to every application to which that user has access.
Trading Bad for Worse
Limiting costs and limiting the need to remember passwords is a business, not a security move; in fact it’s tantamount to abrogating security for convenience. Inevitably, some less-than-security-conscious users will give their passwords to co-workers, to their network administrator, or to others, or, fearing their sieve-like memories, will write down that one password anyway and stick it in their desks, leaving your entire system vulnerable because one password has been compromised. That’s not a good idea.
Better methods are available now, and have been available for years. Companies looking to reduce the cost of password maintenance or improve user convenience would do well to look beyond single sign-on authentication to more robust technologies that also offer users increased convenience, such as smart cards or bio-identification systems. Such systems remove the burden of remembering multiple passwords from users by substituting another item of information, such as a randomly generated SmartCard ID, or physical recognition of a fingerprint, voice print, face, or iris pattern. In fact, far from moving toward single sign-on, most truly secure systems are instead moving toward requiring more identification from users, not less.
Of course, a single sign-on scheme can work with these types of authentication as well, but the core problem?that of reducing all security on your network to a single point of failure?simply doesn’t stand up to logical scrutiny, regardless of the convenience or cost savings it offers. The bottom line is that while users may not like having to sign on multiple times, the act of doing so protects them and their organizations from total security failure. The security you have now isn’t perfect, but there’s no point in trading bad for worse.
Do you really want to bet your organization’s security on the chance that everyone will remember to lock down their computers whenever they leave their desks?