Schedule a Demo

TrainCaster LMS Online Training Blog

3 min read

How Single Sign-On Works

Apr 17, 2019 12:00:00 PM

Single Sign On

For IT folks, managing login credentials is a thankless task that can have serious consequences and pose potential security risks to your organization.

"81% of hacking-related breaches leveraged either stolen and/or weak passwords.”Verizon Data Breach Investigations Report, 2017

And because we have so many passwords to manage everyday – unlocking the phone, online purchases, bank transactions – many of us resort to using the same password on many sites. People try all kinds of unwieldy tricks to stay on top of passwords: post-it notes or a ‘password notebook’ are easy to lose, hard to maintain, and often nowhere in sight when you need them. Saving passwords in email, documents or spreadsheets is not secure. Some folks even click the “forgot your password” button every time they login to an application. In fact, in pursuit of more security, I once used a password manager that generated strong passwords for websites I visited. I only had one password to remember: the ‘master password’. No worries right? Until the application stopped working and I had no idea what my passwords were!

But, over the last year or so, many of us have experienced first hand the risks that go with that tactic when we received the emailed extortion scams that included real passwords that we have used in the past (fortunately for us, these hacked passwords are about 10-11 years old.) In any event, using common passwords, sharing passwords with colleagues, and remembering passwords with the help of sticky notes are not sound tactics for keeping our information secure. And the number one rule in a world where password breaches are common: never re-use a password!

What Is Single Sign On?

In order to better manage and secure passwords many IT departments are moving to Single Sign-On (SSO). The idea behind SSO is to that you login one time and then gain access to other applications – like your Learning Management System, HR System, IT applications, documents – without having to login again. Remembering one username and password is a lot more convenient that remembering many. Plus, it is also efficient in not having to enter your login credentials every time you access an application.

How SSO Works

As convenient as SSO is for users, it does increase security risks. Anyone who gains control of SSO credentials has access to all applications and data that the user has rights to, increasing potential damage.

What is Multi-Factor Authentication for SSO?

For applications that contain sensitive information, IT may selectively implement what is called Multi-Factor Authentication (MFA) for Single Sign-On. MFA works like this: when first attempting to access the MFA protected application you may be prompted to answer a security question (e.g. “What street did you live on in second grade?”), you may be required to enter a code that was texted to you, or something more complex like plugging in a USB key.

But while MFA provides more security, it also mitigates some of the benefits of having SSO in the first place. So some SSO systems implement Adaptive MFA. Say John’s typical work day starts with him turning on his computer, going down the hall for a cup of coffee, then logging in via SSO. His SSO system has adaptive MFA so he is able to access his applications without having to respond to an MFA prompt. This occurs because his SSO system detected the device, physical location, and time of the day to determine that this indeed John. If someone were to get John’s login credentials they would almost surely not be using the same computing device in the same location at approximately the same time so they would be prompted to respond to an MFA prompt - blocking access to his applications.

Adaptive authentication should look at the following:

  • Device Profile: What system is the request coming from? Is this a system I have seen before, is this a corporate issued device?
  • Location Awareness: Where is this request coming from, is this a “risky” IP address range, is this coming from a “risky” country? How did the user get from San Francisco to some other country in one hour? This isn’t the usual location from which this user is logging on.
  • User Behavior: Why is the user accessing those servers / applications / data? He has never done that before.

Using adaptive MFA for accessing applications and resources makes it easy for IT and the end-user, which results in a “happier” user force and protects your enterprise. 

If you'd like to find out more about using SSO or MFA with TrainCaster LMS, contact us. We are happy to work with you to implement the solution that will work best for you.

C Prah
Written by C Prah

Programmer, elearning expert, client services director.