by Brian Spector, CEO, CertiVox
Time was when SSO simply meant being able to automatically pass login credentials from one application to another, so that a user could work across several applications at once, without having to sign into each of them separately. Remember that?
But a sea-change is taking place within SSO. The notion of logging in once in order to use many different applications is still at its core, but the nature of that login is changing radically. It is no longer sufficient to have the right login credentials. Instead, you have to be identified as the individual to whom those correct login credentials rightfully belong.
As we put it in our paper The Death of Username and Password, “On the internet, nobody cares if you’re a dog – but they do need to know which dog you are!”
Multi-factor magic
SSO’s new-found robustness lies in multi-factor authentication – defined as something you have, plus something you know, plus an additional identifying factor. Think of an ATM – it authenticates you on the basis of something you have (your bank card), something you know (your PIN), and, additionally, the information contained on the card’s magnetic strip. One is useless without the others.
The challenge has always been in translating this into a software-based approach, enabling an online user to authenticate simply by using their computer. But this capability now exists. With nothing more complex than a browser, a PIN (entered using an on-screen pinpad) and an automatically generated cryptographic key, users can authenticate online more securely than when they use their ATM!
The scalability potential here would previously have been unimaginable. Usernames and passwords, with their fixed 1-to-1 relationships, stored in a file, are intrinsically too risky to scale (as LinkedIn’s loss of over 6,000,000 logins to a hacker showed!)
Multi-factor authentication, on the other hand, provided it is built on something called “elliptic curve cryptography-based authenticated key agreement protocols” – phew! – can be robust enough to scale to many millions of users. This is because it simultaneously authenticates personal identity, the identity of the browser and the identity of the devices being used, without recourse to a fixed 1-to-1 relationship. If one of these factors is incorrect or missing, authentication can’t happen.
Scalable = saleable!
For this self-same reason – scalability – service providers and their partners are suddenly into a whole new ball game here. If scale is no barrier to use, then it’s also no barrier to sale. So, excitingly, service providers and their partners now have the option of reselling the very same authentication services that they themselves use, so that their customers, in turn, can use them to secure their own end-users.
This is one snowball effect that should leave all of us feeling warm inside! If you want to learn more, we’re on Booth 704, or you can come to one of the technical or business sessions listed below:
- · Technical Track – 4th Feb between 08:15-17:00 –
- · Partner Theatre – 5th Feb at 12:45 – Growing Your Revenues with Single Sign-On, Multi-Factor Authentication for the Cloud and Mobile – Frank Boening (CertiVox)
- · Developer Track – 6th Feb at 10:30 – Extending APS packages with Single Sign-On – Brian Spector and Gene Myers (CertiVox)