Identity and Access Management
How many separate passwords and usernames do you have to remember? If you do not know the answer, you are not alone. It is not uncommon for employees to manage dozens of separate usernames and passwords to access enterprise applications. Many credentials are repeatedly re-used, forgotten, or lost. The consequences are frustrated employee users, decreased productivity, and security. Employees are not only frustrated; the lost productivity is costing U.S businesses billions of dollars. Cormac Herley, a top researcher at Microsoft estimated the U.S alone lost $16 billion dollars in productivity due to passwords. Herley argues that the cost-benefit of passwords and security has not been clearly demonstrated to users.
Identity federations can solve the source of lost employee productivity from passwords by providing a mechanism for applications to securely share user identities without needing a separate account for each application. SAML (Security Assertion Markup Language) is a secure, open source, XML based federated security model that shares identities between multiple organizations and applications. The SAML framework has been around since 2001 with the last major revision in 2005 with SAML 2.0. While the framework is older, it is still the most widely adopted.
SAML uses secure tokens which provide only what is necessary to gain access to the application. There are no passwords to forget or steal from each application. The user signs in with their credentials. The identity provider checks the credentials are valid and then sends a token to the Service Provider. SAML works well in conjunction with a single sign on solution so that users do not have to repeatedly enter the same credentials to access separate applications.
Although SAML is the dominant security standard for federated identity management currently, there are other protocols gaining adoption such as WS-Trust, OAuth, and OpenID. The selection of open source standard depends on the business need for level of security.
OAuth is more commonly used for social media authentication where a user can "sign in with Facebook" or other common credentials. Where the business need requires rapid transactions without strong consideration for identity validation, social media authentication with Google, Twitter, LinkedIn, or Facebook are popular sources. Social media federated authentication has grown rapidly and I expect the trend to continue as users demand to more efficiently authenticate to popular applications without needing to create yet another new set of credentials.
- Eliminates multiple weak passwords for each application with single credential.
- Boosts business value by reducing cost, increasing productivity, and enhancing customer satisfaction.
- Scalability: Rapidly onboard additional applications within an enterprise.
Conclusion: Strong Authentication
More than a federated security model is necessary to create a strong authentication system. A compromised password and username creates a risk within multiple applications in a federated security model. There is reason for concern when examples of the most popular user created passwords are "password" and "123456."
A great solution is to create strong credentials, re-use them within a federated security model, and protect them with multi-factor authentication. What do I mean by strong credentials? Prompt users to create strong passwords with at least 7 characters, at least one special character, no repetitive characters, or dictionary words. There are many other strong password rules worth considering. I recommend combining strong credentials with multiple security factors commonly referred to as MFA (Multi-Factor Authentication). Device recognition, one-time access codes, primary key infrastructure, knowledge based questions, and biometrics are some of the many options that go beyond the less secure username and password model. Employees will appreciate going through the inconvenience of creating a strong set of credentials if they know that it will save them valuable time accessing multiple applications in the future.
About the Author
John McMurry is a Senior Consultant in the management consulting practice area of our Richmond, VA office. He has 5+ years as a project manager and has helped implement an Identity and Access Management system for a large organization. John is also a Certified Scrum Master, PMP, and received his MBA from Johns Hopkins University.