With the increase of various types of application in an enterprise, the nightmare of managing access to them increases. One of the major issues is how to manage passwords to multiple applications.
I would like to remember only one password for all applications in the enterprise instead of writing each one down whenever its time to change it. The frequency of changing the password may vary from application to application, so does the password rules.
If you look at it from the cost perspective, every call to help desk to manage password costs an estimated $25 – according to Help Desk Institute. So having a password doesn’t come cheap, especially when you have multiple applications at various domains. Imagine this cost coupled with the cost of maintaining the credentials at various applications.
So why not use a software like Bruce Schneier’s Password Safe (http://www.schneier.com/passsafe.html )? That type of software is good for personal use when I have the luxury of time to dig through my list of domains and their credentials. They are not good for an enterprise that is regulated by various statutory requirements. It still does not solve my pain of signing in to multiple applications.
How about Singe Sign On? According to experts in the field, not many enterprises were successful in implementing in this area with single sign on. With all the acquisitions and mergers, it is found better implemented at the divisional or business unit level. However a more realistic approach would be to have reduced sign on.
This is not an easy job for architects as they need to consider stronger authentication mechanisms based on risk policies while consolidating application and reducing the number of access challenges.
One of the major constraints to reduced sign on is the multiple identity and policy domains that exist in the enterprise. They can be handled by having a primary authentication point which will facilitate background authentication with other policy domains. A user is challenged by a single primary system, while that primary system takes care of authenticating with other system in the background without the user’s knowledge.
Some of the options in consolidating sign on are extending network operating system login and centralized LDAP. However, they do have their own limitations. For example, network operating system login cannot be extended to external users and there could be multiple LDAPs within the enterprise that need to be consolidated.
Implementations such as E-SSO where multiple logins can be integrated to one single system is preferred for reduced sign on, however it is a large undertaking and requires time. Similar is the case with federated authentication using protocols such as SAML.
One of the easiest and quick fix to manage this nightmare is to have a password management system. Whenever a user changes the password, it is synchronized with all applications and tools such as LDAP and Active Directory using the password management system. In this way, I have only one password, possibly one user-id, for accessing all system in the enterprise. This still does not reduce my multiple sign on, however it’s the right step in the right direction.