Multi-Factor Authentication and Single Sign-On Explained

RequestInformation
jcarpenter's picture

The simple combination of a user ID and password is no longer good enough to protect our most vulnerable information. Identity theft, data breaches, malware, and malicious actors mean that digital security must evolve to stay one step ahead of security threats.

Strong, reliable security in a modern government, non-profit, SMB, or enterprise environment isn’t just important today; it's mandatory.

The best security must take into account the needs of the organization and the employee, balancing protection, encryption, and ease-of-use.

With most security officers having a choice between two primary security solutions—single sign-on (SSO) or multi-factor authentication (MFA)—deciding what’s best for your organization requires careful consideration of the pros and cons of each approach. Of course, the two are not mutually exclusive; you can have both. However, given the economy that envelops most IT organizations, knowledge of how to allocate time and budget to one project over another can make all the difference.

What is multi-factor authentication?

MFA uses several different factors to verify a person’s identity and grant access to various software, systems, and data. Typically, MFA systems use two or more of the following tools to authenticate individuals:

  • What you know: a password, personal identification number, or recovery questions
  • What you have: a smartcard, FIDO token, one-time password (OTP), Bluetooth device, Apple Watch, or some other authenticator
  • Who you are: a biometric authenticator, such as a fingerprint or face recognition
  • What you do and where you’re at: location-based authentication using GPS, IP address, or Integrated Windows Authentication (IWA) and how you type (keystroke biometrics)

The advantage of multi-factor authentication is that, in most cases, it’s very secure. The combination of a password, physical token, and biometric can significantly reduce the risk of data and software breaches.

However, if MFA has some advantages in securing user logons, it also has the reputation – sometimes well earned – of being a bit difficult to manage. Users need to be provisioned with the second factor (the first they memorize). For some end users, even setting up a mobile phone to receive a one-time password via text message can be an imposition. Still, MFA is safe for most organizations to lock down their networks and applications against unauthorized access.

What is single sign-on?

The concept behind single sign-on is very straightforward—users carry out a master sign-on to authenticate themselves at the beginning of their work period. Then, whenever they need to log into another piece of software, the SSO solution logs in on their behalf. The SSO solution internally stores the various credentials for every piece of software users need to access and then validates the users with those systems when they need to be accessed.

The advantages of single sign-on include:

  • Users only have to remember one password at all times. Although they may be required to enter credentials for other systems occasionally, there’s significantly less effort needed.
  • Extra security, such as biometric authentication, can be added to the initial single sign-on or accessed via a USB token, soft token or similar encryption device. MFA comes into play here.
  • SSO is quick and convenient for the end user. It saves time by not requiring them to spend time logging into many different applications.
  • Risks for access are reduced in some instances. For example, credentials for third-party applications could be stored internally rather than on external systems.
  • There are fewer calls to the service desk for password resets, reducing IT support resource needs.

Disadvantages of single sign-on:

  • If a hacker, malicious actor, or malware gets SSO access, that compromises any systems used by SSO.
  • SSO must be deployed with strong encryption and authentication methods to prevent this from happening.
  • Loss of availability of SSO systems means a user will not be able to access any other systems, becoming a single point of failure.

The best of both worlds—combining SSO and MFA

MFA and SSO are both coming at the issue of security and authentication from different areas.

SSO is more convenient for users but has higher inherent security risks. MFA is more secure but less convenient. What are the two areas that can be combined to provide a solution that is both convenient and secure?

That’s the way the security and encryption industry is moving. Again, it’s about the evolution of security. Some of the new approaches being tested and used include:

  • Requiring secure MFA sign-on at the start of the day, similar to an SSO solution.
  • Granting continued access to authenticated users throughout their workday.
  • Requiring additional verification using MFA based on specific criteria, including:
    • Access to the most sensitive systems.
    • Changes in user behavior as detected by software.
    • Using criteria such as location, role, seniority, and the like to determine when new authentication is needed.
    • Using algorithms to request additional credentials in certain use cases smartly.

The convenience of SSO combined with the security of MFA gives businesses security posture and confidence. In addition, providing users with the efficiency and ease that MFA and SSO offer means less password resets and help desk calls. Calculate your estimated savings.

Want to know more? Explore HID’s comprehensive and compliant multi-factor authentication solutions.

Get the latest blogs on identity and access management delivered straight to your inbox.

Jeff Carpenter is Director of Cloud Authentication at HID Global. In his 15+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies including Crossmatch and RSA, a Dell Technologies company. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.