HID logo

Multi-Factor Authentication and Single Sign-On Explained

The simple combination of a user ID and password is no longer good enough to protect our most vulnerable information. Identity theft, data breaches, malware, and malicious actors mean that digital security must evolve to stay one step ahead of security threats.

Strong, reliable security in a modern government, non-profit, SMB, or enterprise environment isn’t just important today; it's mandatory.

The best security must take into account the needs of the organization and the employee, balancing protection, encryption, and ease-of-use.

With most security officers having a choice between two primary security solutions—single sign-on (SSO) or multi-factor authentication (MFA)—deciding what’s best for your organization requires careful consideration of the pros and cons of each approach. Of course, the two are not mutually exclusive; you can have both. However, given the economy that envelops most IT organizations, knowledge of how to allocate time and budget to one project over another can make all the difference.

What is Multi-Factor Authentication?

MFA uses several different factors to verify a person’s identity and grant access to various software, systems, and data. Typically, MFA systems use two or more of the following tools to authenticate individuals:

  • What you know: a password, personal identification number, or recovery questions
  • What you have: a smartcard, FIDO token, one-time password (OTP), Bluetooth device, Apple Watch, or some other authenticator
  • Who you are: a biometric authenticator, such as a fingerprint or face recognition
  • What you do and where you’re at: location-based authentication using GPS, IP address, or Integrated Windows Authentication (IWA) and how you type (keystroke biometrics)

The advantage of multi-factor authentication is that, in most cases, it’s very secure. The combination of a password, physical token, and biometric can significantly reduce the risk of data and software breaches.

However, if MFA has some advantages in securing user logons, it also has the reputation – sometimes well earned – of being a bit difficult to manage. Users need to be provisioned with the second factor (the first they memorize). For some end-users, even setting up a mobile phone to receive a one-time password via text message can be an imposition. Still, MFA is safe for most organizations to lock down their networks and applications against unauthorized access.

What is Single Sign-On?

The concept behind single sign-on is very straightforward—users carry out a master sign-on to authenticate themselves at the beginning of their work period. Then, whenever they need to log into another piece of software, the SSO solution logs in on their behalf. The SSO solution internally stores the various credentials for every piece of software users need to access and then validates the users with those systems when they need to be accessed.

The advantages of single sign-on include:

  • Users only have to remember one password at all times. Although they may be required to enter credentials for other systems occasionally, there’s significantly less effort needed.
  • Extra security, such as biometric authentication, can be added to the initial single sign-on or accessed via a USB token, soft token or similar encryption device. MFA comes into play here.
  • SSO is quick and convenient for the end-user. It saves time by not requiring them to spend time logging into many different applications.
  • Risks for access are reduced in some instances. For example, credentials for third-party applications could be stored internally rather than on external systems.
  • There are fewer calls to the service desk for password resets, reducing IT support resource needs.

Disadvantages of single sign-on:

  • If a hacker, malicious actor, or malware gets SSO access, that compromises any systems used by SSO.
  • SSO must be deployed with strong encryption and authentication methods to prevent this from happening.
  • Loss of availability of SSO systems means a user will not be able to access any other systems, becoming a single point of failure.

The Best of Both Worlds—Combining SSO and MFA

MFA and SSO are both coming at the issue of security and authentication from different areas.

SSO is more convenient for users but has higher inherent security risks. MFA is more secure but less convenient. What are the two areas that can be combined to provide a solution that is both convenient and secure?

That’s the way the security and encryption industry is moving. Again, it’s about the evolution of security. Some of the new approaches being tested and used include:

  • Requiring secure MFA sign-on at the start of the day, similar to an SSO solution.
  • Granting continued access to authenticated users throughout their workday.

Requiring additional verification using MFA based on specific criteria, including:

  • Access to the most sensitive systems.
  • Changes in user behavior as detected by software.
  • Using criteria such as location, role, seniority, and the like to determine when new authentication is needed.
  • Using algorithms to request additional credentials in certain use cases smartly.

The convenience of SSO combined with the security of MFA gives businesses security posture and confidence. In addition, providing users with the efficiency and ease that MFA and SSO offer means fewer password resets and help desk calls. Calculate your estimated savings.

Ready to learn more? Explore our Advanced Authentication Buyer's Guide.

Get the latest blogs on identity and access management delivered straight to your inbox.

Jeff Carpenter is Director of Cloud Authentication at HID Global. In his 15+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies including Crossmatch and RSA, a Dell Technologies company. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.

RECENT POSTS

HID Origo™ 개발자 포털 소개

HID Origo™ 개발자 포털의 가용성에 대한 소식을 전해 드릴 수 있게 되어 기쁘게 생각합니다. 이 포털에서는 기술 파트너들에게 직원들의 물리적 및 디지털 경험과 기술이 혼재하는 앱과 API 통합을 구축하는 데 필요한 도구와 지원을 제공합니다.

10월은 국가 사이버 보안의 달입니다

매년 10월은 정부와 사이버 보안 업계가 협력을 도모하기 위해 지정한 국가 사이버 보안 인식의 달(NCSAM)입니다. 이 교육 기간 동안 유익한 정보를 통해 기업과 개인이 온라인에서 스스로를 보호할 수 있는 방법에 대한 인식을 고취시킬 수 있습니다.