Jul 25, 2015

Why would you want a single sign on tool to also implement multi-factor authentication?

David has a great answer for this.
Single sign on (SSO) works best when you can secure your logins with multiple authentication factors, so that the bad guys can’t compromise your accounts, or at least can’t easily gain access. Having more than one factor means that you need something more than your username and password, such as a one-time password token generator, your smartphone, or some kind of biometric scanner such as the fingerprint readers that are now found in many of the newer iPhones and Androids.

Most of the current SSO products have the ability to integrate with a wide variety of multifactor tools, and some such as SecureAuth, Okta, Ping and Centrify can specify these multiple factors for particular applications as part of a risk-based authentication approach. Risk-based authentication means that you ratchet up your level of security as you need to protect more risk-sensitive applications or particular transactions. For example, if you are just checking your bank balance that isn’t that risky. But if you are going to be conducting a wire transfer and moving money out of your account—that carries more risk and should step-up the security accordingly so you can prove that you are really whom you say you are and have the appropriate rights for that transaction. Risk-based methods are now coming into play more and more in the SSO space and the above vendors have various mechanisms of adding that to their authentication routines.

The net result is having multiple factors makes using SSO a powerful protective tool and can make logins much more secure than relying on individual users to choose passwords individually.
Answer this