Sometimes Single Sign-On

SSO aka Single Sign-On seems to be one of the most requested features from business users.   It is very common to hear end users complaining about having to remember different passwords or having to re-enter their login credentials over and over just to use internal systems.    But is SSO what they really want?

The problem with single sign-on is the same as it’s benefit.   A user just has to log into their desktop and then they have full access to any other system within the organization without having to provide login credentials again.   This means that if a user walks away from their PC and leaves it unlocked anyone could sit down and have access to not only files and information on the local PC but also on any of the organizations systems. 

So what can be done to protect sensitive data?  One option is to have a policy that all computers must be locked when a person leaves their desk.    This is a good practice even when SSO is not implemented in an organization.    However, this relies on the individual to remember to lock their system.   How many times have you seen someone just walk away from their PC or laptop without locking it?  I see this on a daily basis.

Another option is to enable the “on resume, display logon screen” in the screen saver settings and then set a 1 minute inactivity timer.   This would automatically lock any system left alone for more than one minute, but still a lot could happen within that first minute of a computer being left alone.

Once users realize the security risks of SSO they start thinking that maybe they really want SSSO aka “sometimes single sign-on”.   They want to be prompted for login credentials when accessing human resources and payroll information.    They want to be prompted for login credentials when accessing other systems with similar sensitive information.  For non-critical systems or those not holding sensitive data the users do want SSO.

SSO can be very time consuming, complicated and expensive to implement.  I recommend that you think very carefully about your own organization and get lots of input from the end users, line of business owners, and IT personnel before jumping into an SSO project.   You just might find out that you don’t really need or want SSO.

Leave a Reply