Published September 5, 2017 • By Karen Walsh

Password management risk comes in a variety of forms. Single sign on (SSO) coordinates login information for multiple applications with a single authentication. Centralized authentication means that once a user has logged into the first application, they still need to re-enter the password even though the credentials are the same.


There are three means of authentication. One means is  login information, referred to as “something you know.” The second means is plus a login object, such as a cell phone that receives texts, also called “something you have.” The third is related to your own being, such as a fingerprint, or “something you are.” Two factor authentication uses two of these things, while multi-factor uses all three.


When trying to determine the best option for your organization, you need consider the password management risk combined with the level of security you think you need to protect your assets.


Why Password Management Risk Mitigation Starts with You


As your company matures, you need more applications to help manage your needs. From email to cloud storage to Software as a Service (SaaS) providers, your organization is linking and using a lot of different applications just to accomplish the day to day work. This means that your employees are accessing many applications to get their jobs done.


As you store more data in these applications, you need to make sure that employees understand the importance of a strong password. Employees may recognize the little red, yellow, and green “strength” bars on their password creation tools, but may not truly grasp the reason for them. For example, a person may assume that since the company’s systems are protected, their password is an extraneous step. Therefore, the first step to password management risk mitigation starts with education.


The next step is to consider how often you want to require password changes. Previously, more frequent password changing was thought to be more secure. However, as information security becomes more advanced in its understanding of cyberattacks, researchers have determined that this doesn’t really add to the safety of your systems. Although corporate logins and email passwords should be changed periodically, that period can be longer in duration than previously thought.


When passwords are of an appropriate length and strength, they become even more difficult to remember. If you are using multiple applications and requiring separate strong passwords for each, your employees are either going write them down or use the same one in multiple places. When they write them down, they put passwords in places that aren’t really safe. When they use the same password for multiple applications, that puts you at risk because if that password is compromised, it may compromise your systems despite your attempt to keep that from happening.


How SSO Helps Mitigate Password Management Risk

SSO creates a single set of login credentials that are used across multiple applications. Basically, your employees come up with one password and use that to access every application they need to do their jobs.


When an employee enters a password for the dominant application, the SSO protocol shares that information to other domains to which it is connected. This is done by a web token, a piece of data created by your server that combines a key with your identification. Think of it as a bunch of code that combines your house key with your driver’s license.


SSO makes your organization more secure by creating a single point of entry into your systems. For another analogy, pretend your systems are a medieval castle. If that castle has multiple gates, there are various ways that enemies can enter. If you have a moat with a single drawbridge, that limits the access to your castle. SSO is the digital equivalent of creating a moat and drawbridge.


Also, SSO aids security by making it more likely that your employees will use strong passwords. When you need to remember only a single password, you can remember something more complex. When you need to remember many passwords, you are more likely to reuse something simple. By streamlining employee access and lowering their number of passwords, you are automatically making it easier for them to use a strong password.


How Does Centralized Authentication Mitigate Password Management Risk


Centralized authentication is often confused with SSO because they both perform a similar function. Similar to SSO, centralized authentication mitigates password management risk by consolidating login information shared across multiple applications. Unlike SSO, centralized authentication requires constant repetition of credentials.


With centralized authentication, your employees have a single username and password that works across multiple applications. This means that, similar to SSO, they need to remember only a single password. However, with centralized authentication, they need to enter those credentials every time they open a new application.


Within the castle context, imagine that the drawbridge is an application and the entrance to the castle is another application. If the wall surrounding the outer edge of the moat has a gate that needs a key, you have to unlock the gate to gain access to the drawbridge. Then, once across the drawbridge, you need to unlock the castle gate using that same key. To prove that you know how to get in, you have to recognize that both keys open both doors.


This is the same for centralized authentication. When your employees have to re-enter their information every time they open an application, they are proving that they know the password is the same, thus proving that they are who they say they are.


What Security Risks Come with SSO

As evidenced by the OneLogin breach back in June, SSO comes with a risk. Having a single drawbridge can limits access to your operations castle, but it can create a single point of failure, too.


Just as armies can break through that one gate and overwhelm a castle, so can the cracking of a single login allow multiple hackers to overwhelm your systems. Once they gain access to the single password, they have access to multiple applications. This causes the widespread damage that you were trying to eliminate.


Centralized authentication comes with a similar risk. If someone gains access to the set of credentials, they can access all applications linked to it. In the same way that an enemy trying to access a castle needs only to have one key for both gates, a hacker needs just one set of access credentials. In both cases, while the addition of the extra gate may buy a bit of time as the malicious intruder tries to unlock the safety protocol, the key is the same, and the intruder can figure this out fairly quickly.


Why Two-Factor Authentication Helps Mitigate Password Management Risk

If you like thrills, you might have noticed that theme parks like Disney and Six Flags now incorporate fingerprint identification with multi-day passes. This fingerprint requirement is an example of multi-factor authentication.


Two-factor authentication is rapidly becoming a necessary safety protocol. With two-factor authentication, your organization not only has two gates but also two keys. Two-factor authentication requires not just a username and password, but also that your employee has additional information tied to either an object or their person.


Biometric authentication takes password management risk mitigation to the next level by requiring the use of information specific to the individual person, not just to something they own. This can involve  facial, fingerprint, or voice recognition.


Since you are requiring your employees to provide data that is genetically unique to each individual, this is the highest level of security you can provide your systems. Despite the very sci-fi concept, the reality is that current technology is making this more accessible. The current iPhone and recent MacBook Pro editions use fingerprints to gain access to the data on the devices. As this kind of technology becomes more prevalent, the cost will decrease. While this may not be cost effective at present, it is very likely that it will be a predominant security technology in the future.


This object can be either a physical hardware token or a cell phone that receives emails/texts. For example, not only will your employee have to log on to your system with their password, but they will also be prompted to include a randomly generated code that proves they are in possession of something unique to them.


Two-factor authentication aids in mitigating risk by recognizing when an employee’s login credentials are being used in a location or from a computer not normally associated with that employee. Once this risky circumstance is recognized, the potentially malicious intruder is locked out until they can provide the information sent to the individual in possession of the device linked to the account.


This offers two layers of security. First, it means that there is an additional hoop your malicious intruder needs to jump through to access your systems. Second, it means that your employee will be aware of an attempt at unauthorized login and can change their password prior to the completion of the intrusion.


For most organizations, this is the most efficient and cost effective way to protect your corporate access.

Why Multi-Factor Authentication May Be the Future of Password Management Risk


Multi-factor authentication is the highest level of security an organization can invoke. In multi-factor authetication, an employee needs to have a password, object, and biometric code to login to your systems.


Using the castle analogy for one last time, multifactor authentication is basically putting up a wall with a gated entry outside your moat, a bridge to get to the second gate that requires a second key, and a super secret handshake that goes along with the guards. All of these barriers to data access make it not only difficult but time consuming Each requires a something increasingly unique.


As biometrics become more reasonably priced and accessible, multi-factor authentication becomes the reality of information security.


Protecting your systems from intrusion means creating a program that combines employee awareness with tools to protect yourself. Determining the best way to mitigate password management risk means looking at the technologies available and understanding the ways in which they can be used within your organization. The more complex your organizational structure, the more complex your access management needs to be.


To see how you can move beyond password management in protecting your organization from security risks, read our ebook, “Cut Through Compliance Complexity with Consolidated Objectives.”