Alex Manchester <[email protected]> writes: > I have been tasked with researching potential Compliancy concerns regarding > implementing a single sign-on solution. > The majority of the information has been relatively positive such as > providing centralized user and log management. > Other than ensuring the security and minimum strength requirements of the > master password, are there other concerns anybody else has faced with > implementing or researching a SSO solution.
One issue I've seen in single sign ons in large organizations is that just about anyone can stand up an internal web server that looks to hook into the single sign on API and herds of users (who are used to providing that one magical credential) are happy to type it in just about anywhere. Without some sort of one time password integrated, this can make single sign on tantamount to an authentication monoculture with its attendant weaknesses. I have no silver bullet here other than foisting unpopular 2-factor auth on people (insert joke about RSA's current woes here), but it's a risk to be aware of at least. The benefits of SSO still generally outweigh warts like this. -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
