Authentication Fundamentals

Multi-Factor Authentication and Single Sign-On Explained


The simple combination of a user ID and password is no longer good enough to protect our most vulnerable information. Identity theft, data breaches, malware and malicious actors means digital security must evolve one step ahead of security threats to stay effective.

Strong, reliable security in a modern government, SMB, or enterprise environment isn’t just  essential today, its mandatory.

The best security must take into account the needs of the organization and the employee, balancing protection, encryption and ease-of-use.

With most security officers having a choice between two main security solutions—single sign-on (SSO) or multi-factor authentication (MFA)—deciding what’s best for your organization requires careful consideration of the pros and cons of each approach.

Multi-Factor Authentication

MFA uses several different “factors” to verify a person’s identity and authenticate them to access various software, systems and data. Typically, MFA systems use two or more of the following to authenticate individuals:

  • Something the person knows—this could be a password, personal identification number or login name.
  • Something the person has—this could be a security token, a smartphone app that generates a one-time passcode, a swipe card, an SMS or some other authenticator.
  • Something the person is — this is typically a biometric type of security, for example fingerprint scans, voice recognition or facial recognition.
  • Where the person is—location-based authentication using GPS can also help to authenticate identity. For example, are they in an office the business manages?

The advantage of multi-factor authentication is that in most cases MFA is very secure. The combination of a password, a physical token and biometric can significantly reduce the risk of data and software breaches.

But MFA also has drawbacks, the main one of which is that it is inconvenient. It requires users to have something with them like a token or smartcard, or go through a supplemental security process that – while it may seem trivial in terms of time – often leads users with a negative experience.

Single Sign-On

The concept behind single sign-on is very straight forward— a user carries out a “master” sign- on to authenticate themselves at the beginning of their work period. Then, whenever they need to log into another piece of software, the SSO solution logs in on their behalf. The SSO solution internally stores the various credentials for every piece of software a user needs to access and then validates that user with those systems when they want to access them.

The advantages of single sign-on include:

  • A user only has to remember one password at all times. Although they may be required to occasionally enter credentials for other systems, there’s significantly less effort needed.
  • Extra security can be added to the initial single sign-on, for example requiring biometric authentication, or access via an RSA token or similar encryption device.
  • SSO is quick and convenient for the end user. It saves time by not requiring them to spend time logging into many different applications.
  • Risks for access are reduced in some instances—for example, credentials for third-party applications could be stored internally rather than on external systems.
  • There are fewer calls to the service desk for password resets, reducing IT support resource needs.

Disadvantages of Single Sign-On

  • If a hacker, malicious actor or malware gets SSO access, that compromises any systems used by SSO.
  • SSO must use strong encryption and authentication methods to prevent this from happening.
  • Loss of availability of SSO systems means a user will not be able to access any other systems, so they become a single point of failure.

The Best of Both Worlds — Combining SSO and MFA

MFA and SSO are both coming at the issue of security and authentication from different areas.

SSO is more convenient for users but has higher inherent security risks. MFA is more secure but less convenient. What are the two areas that can be combined to provide a solution that is both convenient and secure?

That’s the way the security and encryption industry is moving. Again, it’s about the evolution of security. Some of the new approaches being tested and used include:

  • Requiring secure MFA sign on at the start of the day, similar to an SSO solution.
  • Granting continued access to authenticated users throughout their work day.
  • Requiring additional verification using MFA based on certain criteria including:
    • Access to the most sensitive systems.
    • Changes in user behavior as detected by software.
    • Using criteria such as location, role, seniority and the like to determine when new authentication is needed.
    • Using algorithms to smartly request additional credentials in certain use cases.

The aim is that the convenience of SSO can be combined with the security of MFA in a way that works for users and gives the business the security and confidence it needs.

It’s an exciting time to be helping customers make the transition to these new technologies.

Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.
Authentication Fundamentals
EU General Data Protection Regulations. What You Need to Know
There are currently no comments.