Single Sign-On (SSO)

Definition

Single Sign-On (SSO) is a technique that attempts to solve the "identity crisis" of this information age. Nowadays, most computer users have multiple user names and passwords for different domains, applications, and web sites. This is difficult for administrators to manage and also challenging for the users to memorize. SSO in the simplest form is providing the user with a master password that has access to a database of different sign-on credentials, and to associate different, scattered accounts into a master account that is responsible for all the authentication and authorization processes. SSO systems have advanced from the initial stage of hiding a complex, multiple sign-on environment behind a single account on an authentication server, to more sophisticated implementations that involve polices, rules, and roles that determine a user's identity and level of rights. There are in general two dimensions on which to classify SSO solutions: Web- based vs. Non-web-based (Legacy); and Multiple Account Hiding vs. Group Policies.

• Web-based: These solutions are based on the Secure Sockets Layer technology in which on a front-end portal interface, the user puts in one password, and all the other applications on the backbend of the portal receive authentication information about that user.
• Legacy (Non-web-based): These solutions that are implemented on local workstations as native applications, instead of being accessed through the web.
• Multiple-Account Hiding: A database is created that contains all the log-on credentials associated with one user or one identity, and replaces it with a single master password. The method of creating the database can be manual or automatic. The solution may or may not fill-in and submit the credentials without user involvement.
• Group Polices: This is a solution that supports both role-based and rule-based group policy assignment to each identity. A role-based solution would grant a certain set of privileges for users who play certain roles in an organization. (i.e., Administrators, Programmers, Management) A rule- based solution would grant layers of rights to each user. For example, if Jon A is in the Networking Department, then he is allowed to do ABC, and then if Jon A is also involved in Project FunnyFace, then he is allowed to do EFG. In general, a rule based solution is more flexible due to it's "layer" structure.

Relevance to Biometric Authentication Applications and Devices

Biometric security devices and SSO solutions can enhance each other. SSO can ease the problem of remembering multiple accounts and passwords, but it can increase security risks by tying accounts together and presenting a single point of vulnerability. By replacing or supplementing a SSO password with a biometric system, the increased security risks can be compensated for.

Biometric security devices can bring the concept of SSO from the business community to regular householders. Most of the time, end users would not bother to purchase or even download a SSO application, but when the this feature is included in the biometric software, end users would gladly use it out of convenience.

Device Specific Discussions

All the SSO features in the biometric devices we examined are local, legacy solutions. All of them differ in the authentication structure.

• U.are.U Personal: U.are.U Personal uses the multiple account hiding method. In the "One Touch Internet" feature, templates can be manually created for password-protected web sites and applications. Once the profile is created, the user name and passwords are automatically entered and submitted. This often works very well, but some problems were encountered when using with Outlook and web sites with more than one password entry field.
• BioconX: BioconX only assigns group polices for applications. The administrator can issue 13 different rights to each user and the users can be grouped. Rights can be granted to a group on top of individual user grants. The administrator can also specify which applications are included in the start-up procedure. The user only experiences the authentication process once during the initial login control.
• SecureSuite: SecureSuite combines both kinds of SSO methods. For web sites, a method that is similar to U.are.U Personal is adopted. The difference is that the profiles are not manually created, but automatically created once the user chooses to include each password-protected web site. SecureSuite does not automatically submit the log-on credentials. Users have the flexibility to require the authentication process before each session, or to only have one authentication process at the initial login. For applications, SecureSuite has a similar structure as BioconX in which the administrators determine which applications should be launched at start-up for each user. Again, users can be grouped and classified. When it comes to SSO, SecureSuite has the most complete array of functions and flexibility.

This page is part of a project on the Usability and Acceptability of Biometric Security Devices.