Single Sign-On Pros and Cons
In my previous blog post on Single Sign-On (SSO), I touched on advantages and disadvantages of using SSO. In this blog post, I will revisit and expand on those. I hope they will help you decide whether SSO is something you would like to use within Questionmark OnDemand, your organization or project.
My colleague Christian Röwenstrunk used the following image in his presentation on SSO at Questionmark Conference 2016, which sums it up well:
- SSO reduces password fatigue. When you need to remember one password for your identity provider, instead of multiple passwords for each of the different systems (service providers) you want to connect to, you get less tired of having to fill out passwords each time you log on to a system. It is a better user experience.
Let’s admit it, if you need to maintain ten passwords for ten systems, you are inclined to choose passwords that are variations of one another which can be insecure. Or, worse, you use the same password on all systems (never do that!). If you need to remember only one password, you are also more willing to invest more energy in coming up with a more secure password.
- SSO reduces password exposure. When you need to enter your password once (cf. “Single” in Single Sign-On), there is less risk that someone will shoulder surf and see your password.
- SSO simplifies user and password management. This is especially interesting for the IT department. If you can access multiple systems as part of your employment, and you leave the organization, the IT department only needs to decommission your account on the identity provider to revoke your access to all the service providers.
- SSO opens up new possibilities. Identity providers often have capabilities that make authentication more secure. For example, if your identity provider supports multi-factor authentication, then you can leverage that capability for all the service providers that are linked to your identity provider.
- SSO gives you the keys to the castle. If you log on to multiple systems from one identity provider, and a hacker compromises your user account on the identity provider, the hacker gets unauthorized access to all the linked systems. This is similar to using the same password for multiple systems.
- SSO does not work when your identity provider is down. If your identity provider does not respond, for example due to an outage, you cannot log on to any of the systems that are linked to it.
- SSO takes a little bit of investment to set up. Linking your identity provider to a service provider is an extra step. Depending on the technologies used and the use cases, that extra step can mean that you will spend some time setting things up.