Recently Announced Single Sign-On (SAML) Vulnerabilities Prompt Security Experts to Consider Certificate-Based Authentication Options for Enterprise Security

pan.kamal's picture

Earlier this week SecurityWeek magazine reported on a SAML (Security Assertion Markup Language) vulnerability that was discovered and self-reported by a Single Sign-On vendor. These flaws were not isolated to a single vendor product and were reported across various products used for two-factor authentication. Exploiting these flaws could enable a Man in the Middle attack allowing unintended users to be authenticated.

An Alternative to SAML-based Single Sign-On

Security experts are now of the opinion that certificate-based authentication can provide a much-needed alternative to Single Sign-On (SSO) with two factor authentication. In the past certificate-based authentication, which relies on PKI as the underlying principle was considered to be complex and hard to manage. It turns out that a well-designed and modern implementation of certificate-based authentication can be easy to use, provide a higher degree of security, deliver flexibility in enabling roles-based security policy and be very cost effective.

With more and more applications natively supporting PKI-based authentication, it is highly likely that deploying certificate-based authentication is something that your IT security team will welcome with open arms.

So how does certificate-based authentication work?

Simple and easy to use digital encrypted certificates can be assigned to various types of entities. “People Certs” are certificates that are assigned to users. These certificates validate the digital identity of the person and is unique to each individual. Similarly “machine certs” can bind to system and applications. In this age of IoT (Internet of Things), devices should have identities too, and of course “device certs“can help devices existing on the edge, assert their valid identity.

In the simplest case a user connects to a trusted application on a server. The application requests to validate the identity of the user. The pre-populated user certificate which is uniquely bound to the user is presented to the application. After the application has validated the user certificate, access is granted.

As you can see certificates replace the authentication portion of the interaction between the user and the server-based application. Instead of requiring a user to send passwords across the network throughout the day, the user provides, most cases unknown to them, a private-key just once. For the rest of the session, the client presents the user’s certificate to authenticate the user to each new application or server it encounters, effectively providing the same convenience of single sign-on, however in a much more secure manner.

Need certificate management for a mid-to-large enterprise?

HID Global’s Credential Management System (CMS) can be deployed for the enterprise to further simplify user authentication. CMS can manage the certificate lifecycle and automatically enforce security considerations to ask questions like:

  • Has the Digital Certificate been issued by a Trusted Certification Authority (CA)? – HID Global’s rapidly growing IdenTrust CA is a convenient, low cost provider of people certs. Certificates from other CAs are supported as well.
  • Is the Certificate still valid? – Automatically checks expiration and triggers remediation steps.
  • Has the Certificate been revoked? – can check for internal or external revocation and disable accordingly.
  • Is the certificate still linked to a valid user? - Leveraging existing identity proofing capabilities.

Who else is doing this?

More people than you think. With the growth in cloud based adoption and enterprises adopting hybrid on premise and cloud infrastructures for IT, certificate-based authentication provides a convenient, secure and easy to use option to deliver security for people, places, transactions and things. Modor Intelligence, a research firm in the security space, published a report showing a 11.12% CAGR (Compounded Annual Growth Rate) for certificate-based authentication solutions over the period 2018-2023. For more information on HID Global identity and access management solutions, please visit