Finding detractors is easy. Just do something novel and you will have appreciators and you will find detractors standing right outside your door. But you must not confuse detractors with critics. Critics offer constructive criticism that is mostly useful. Detractors of Web Single Sign-On claim that it eases processes but compromises on security.
Well, let’s take you through a mini primer on Web Single Sign-On. Single Sign-On is like the European Union visa system. If you have the visa to enter one country, you automatically qualify for permission to enter many other EU countries. In absolute web terminology, Single Sign-On allows sessions of authentication and authorization into multiple web applications and entities post authentication by a single entity of the domain. Single Sign-On, essentially, is the web equivalent of the EU visa system. So, for instance, if you log into Google’s email service Gmail, you also get automatic access to Google’s other services like the Drive, Hangout and so on. Without the need to log in separately. And so there’s no further need to remember usernames and passwords for each of these services. Everything is now integrated. You could read about it in depth here.
Now focus back on the detractors. Why do they say it’s unsafe? Because their contention is that with Single Sign On, you have just one set of username and password for all services under a domain. And so if you lose those credentials, you risk handing thieves access to all applications linked through Single Sign-On. Good point, no doubt. But obviously invalid. Here’s why: Single Sign-On was invented because people requiring access to multiple web applications or services had to create a set of credentials for each meaning one set of username and password for each. Imagine, if an web ecosystem has twenty separate applications requiring usage, its twenty passwords. Obviously, if all those services are under one umbrella, you will most likely use the same username and password combination increasing the risk risk as per the logic in the argument against Single Sign-On.
Without Single Sign-On, some of these systems lacking on apt security would be vulnerable to attacks. In a Single Sign-On environment, the authentication is carried out by a central identity provider and not by applications individually. Additionally, with just one password combination, users are likely to use a stronger password because they just have to remember one and not twenty. So, the likelihood of it being cracked is very remote. Because there are several ways in which Single Sign-On promotes usage of stronger passwords. Concern on part of the detractors is also countered on several counts. In fact, the Global Information Assurance Certification (GIAC) has said Single Sign-On promotes security and increases rather than reducing it. A GIAC paper has found that Single Sign-On solutions improve security by promoting stronger passwords, exclusion of weaker security and vulnerable systems from a network, enhancement in authentication and of course a resulting increase in productivity.
