Backyard SSO Hero

Backyard-SSO-Hero

So, my neighbor, Penny, peaks her head over the fence and asks me what I think about this SSO stuff.  What makes her think I even want to chat in the first place . . . the game is on and I’m stuck out here?  Can’t she see all these leaves taunting me because the leaf blower won’t start?  A more appropriate discourse would have been something like, “Hey, my kids are looking for something to do. Can they rake your leaves for you?” But never the less, as I reluctantly get off my knees to graciously accept her unwanted invitation for fence banter, she continues with, “What does it even stand for?  People I work with have been throwing it around, and I feel like I’m missing out on something. Does it stand for ‘Sorry So Obvious’ or ‘Seek Some Outdoors’ or maybe some form of ‘See ya Soon’?”

 

She now has me amused, and I’m finding her unsolicited remarks more interesting than the task at hand.  I slowly get upright and reply to her with, “SSO stands for Single Sign On, and you may have it in place if your work day is not interrupted by too many security logins to the various applications you use at work. You are able to save time with SSO.”

 

“Security logins?  What are those?” she replies.

 

“Do you have to provide an account name and password when you log into your computer in the morning?” I ask.

 

“Yes”, she states.

 

“Do you then have to provide additional username and password combinations to access other applications, such as SharePoint or Google Apps?”

 

“Oh, do you mean like Blackboard or my email?” she asks.

 

“Yes, exactly like Blackboard and Outlook Web App.  How do you like logging in that many times in one day?” I inquire.

 

“It drives me nuts!” she retorts.  “I have already shown the computer who I am, so why does it keep asking me to provide more names and passwords?!  Our IT guy tells us we need to make strong passwords with symbols, upper and lower case letters, and even numbers.  Oh noooo… you can’t even make it something that is easy to remember because it would be too easy to guess.  That’s hard enough, and then we can’t write it down! My job is stressful enough without having to be bothered with all these usernames and passwords, not to mention dealing with an IT staff member should you, dare I say it . . . forget your password.”

 

Woah!  When did I become the neighborhood technical therapist? 😉 Anyway, football game and lawn work aside, Penny needs help and I’m the closest one to her at this point…  the sacrifices us dedicated IT people make. I reassured Penny,“Single Sign On is going to be your best friend soon. You will be able able to save time with SSO, and SSO reduces the phishing attach space. Not to meant ion, having SSO in place will eliminate most of the bad experiences you are having with passwords and authentication.”

 

Penny asks, “Soon?  Why do you say soon?”

 

I reply, “Because it’s obvious that your company has not implemented SSO yet due to your multiple logins, and it looks like you can be the hero that starts the revolution for your co-workers.  Here’s what you do when you get back to work on Monday.  See if you can find someone with buying power, and plant a seed with the following facts.

1-  Save time with SSO! Save time not only for the individual users that no longer have to login to everything, but also for the IT people that are currently supporting users with multiple accounts and passwords.

2- Remind that person how grateful the IT staff will be to the person that puts SSO in place and takes a lot of frustration and despair out of their work week.

3- And for the knockout blow, SSO reduces the phishing attack space. You can let that lucky person know that eliminating all those logins reduces the phishing attack space considerably.  Should they ask how to get started, you can give them the www.portalguard.com website.”

 

The next thing I know, I’m watching the game, and Penny’s kids are finishing up the yard work.

Press Release: Get the Level of Identity Management Your Campus NEEDS for Office 365

 

vide_snap

BEDFORD, NH– (Marketwire – June 25, 2014) – Today, PistolStar, Inc. announced the integration of its PortalGuard product with Office 365. This integration will give administrators the power to choose the level of convenience and security they desire for their students and faculty while accessing Office 365, including:

 

-Self Service Password Reset (SSPR)

-Single Sign-on (SSO)

-Two-factor Authentication

 

With PortalGuard integrated with Office 365, schools now get the level of identity management they need. Gregg Browinski, CTO of PistolStar, Inc. comments on the level of identity management and security with PortalGuard. “Using Office 365 guarantees 99.9% uptime for your campus email infrastructure, but this benefit is moot if students forget their passwords and can’t login. Federating Office 365 with a local ADFS instance can allow SSO but this just pushes a ‘forgotten password’ scenario further back to the desktop login and still lacks stronger two-factor authentication or self-service password reset options.” Browinski continues, “Swapping PortalGuard in place of ADFS in this architecture can provide standards-based web SSO and highly flexible SSPR from a single, tightly integrated, brandable, login interface.”

 

Using PortalGuard’s SSPR, students and faculty are given the power to reset their passwords from the web or desktop, reducing help desk calls and increasing ROI. SSO streamlines the login and reduces the barriers to access; with just a single login, the students and faculty gain access to all of their authorized applications, including: Blackboard, Moodle, Canvas, Banner, Google Apps, and Office 365.

 

PortalGuard provides you with the level of identity management your campus needs. Click here to learn more about PortalGuard®’s seamless integration for Office 365 and other education applications or visit our Education Page here.

P@ssw0rdS

password

Passwords we all have them, but we all can’t remember them: A satirical observation on the complexity of passwords.

There is so much pressure on choosing the “right” or “R!6ht” password, it has to exceed 6 characters and even though we really wanted to use our dogs name “Spot,” which won’t work since it’s only four characters. So we are then left to think of some other variation to use that we then may or may not remember. Then it becomes an ordeal to just remember is it spot12, Spot123, or SPOT10 since he was ten when you created the password, but was that in human or dog years?

Passwords just aren’t fun anymore, they are stressful. Some people put too much pressure on themselves when creating a password, we promise it’s not like the pressure of trying to win a gold medal at the Olympics. On other end of spectrum some people don’t put enough pressure on creating a strong password (cough) 123456.

Faith Sale once said, “It sometimes feels like the only person from whom your passwords are keeping you safe is YOU.” 1

After forgetting your password you then feel like you need to go to therapy, after being asked enough questions about your childhood to make your head spin. Maybe you don’t have the greatest childhood memories, and you are still recovering from being called, “Chunky Monkey” for the first 13 years of your life. But sure enough, you are prompted to enter in your childhood nickname.

“It may all lead to a profound existential crisis which leaves you yelling at your computer, ‘IT’S REALLY ME, I JUST FORGOT WHO I AM!!!’”1

Some people would argue that passwords are something we have just for the sake of making us feel safe rather, than actually keeping us safe. We don’t agree, a hacker acquiring one or two of your passwords could bring you whole world crashing down. Your bank account could be drained, and even worse they could potentially acquire your social security number and really do some damage.

So adapt password habits that you will remember, and maybe if you are lucky the organization you work for will implement single sign-on, if they haven’t already.

Resource:

1.)    http://www.cbsnews.com/news/a-word-for-the-password-weary/

What about these Toad Portals?

You read it correctly – I want to discuss portals that toads use to go from their dimension to ours.  Hold on, give me a minute to explain, I am not off my rocker.

 

FACT 1: We were having a lively time at the campfire roasting marshmallows by the lake, telling spirited stories and enjoying the warmth of the fire.  Around Midnight, out of what appeared to be nowhere, a toad was seen urgently hopping directly for the red hot coals at the base of the fire.  The youngest of our small group rushed into action and disregarding her own safety reached within three inches of the fire and tried to redirect the toad away from certain doom.  To our dismay, the little guy turned around and headed back for the scorching bed of the fire (I’m not making this up).  Not to be thwarted, our heroine took a more aggressive approach this time and made sure the ill-fated amphibian landed at the base of the rock wall we were perched on and had no chance of getting back to the fire.  It would be out by the time Mr. Toad found his way back later that night.

FACT 2: What we witnessed sent all 4 of us into a frenzied discussion on what we just witnessed and why.  One suggestion was that the toad had come through some sort of transportation portal which would explain why it appeared to come out of nowhere.  Since it made a second attempt to get to the fire after the first attempted redirection, it was also conjectured that the portal back to his dimension was through the fire.  We had noticed that the fire actually had unusual blue and green hews just about the time our visitor arrived; giving more credibility to the notion of a “Toad Portal” through our campfire.

 

FICTION:

So now we have a theory that this toad came to visit our dimension through a “Toad Portal” and didn’t make it back because we thought we were saving the poor guy from an extremely warm death.  Little did we know we had stranded him in our space until he can find another fire with a portal he can use to get back to his world.

Always looking for new and innovative discussions to keep the blog page interesting and lively it didn’t take me long to realize that if there really was such a thing as a “Toad Portal”, the Toads should have some kind of security on their portal to prevent unwanted visitors from traveling back to their domain.

Always trying to match the correct authentication method to the resource and users, I thought I would open a discussion on what would be the best way for the Toads to secure their campfire based portal from intruders.

Here are my thoughts:

Password protected: not likely for a Toad – I don’t think they can speak and we didn’t see a keyboard or any input device for them to use.

Two Factor Authentication: the something they know part of 2FA would present the same trouble that the password gives them

SSO: Single Sign On implies they have a way to authenticate the one time and then are able to bounce back and forth between the two worlds with little care (unless an over protective teenager disrupts your travel pattern).  So far, I have not come up with a way for the Toads to verify their identity.

 External Token: Even if they had the technology, where would they carry it?

Bio-metrics: now this one has merit.  If the Toads have the technology to build and use a portal, they are probably able to protect access to it with some kind of body part scanner such as an eyeball, tongue or even claws.  Using the claws and tongues would definitely help keep us humans out, but then there is always that threat – even in our human world – of obtaining the Toad body parts by any means possible and using them to gain entry into the other dimension.

This is only one man’s imaginative opinion and I would love to read your thoughts on the subject.

Balancing Security and Usability

There seems to be a constant struggle between keeping your company’s data safe and maximizing the productivity and satisfaction of your employees.  There are enough security systems out there to find one that will lock your data down very securely… the problem is you don’t want to make it so secure that even your own employees can’t access the data.  On the flip side, if employees are not challenged when they access data, this means would-be bad guys will also not be challenged.  So the trick is to find a security product that will allow the officers of the company to sleep well at night, but also permit the employees to be as productive as possible during the day.

What is security?  Security is a mechanism put in place to only allow the appropriate people access to what is being requested.  You have a key to the front door of your house which you use to enter your home if the door is locked.  No one else can get into your home through the front door without the key.  Passwords are used the same way for computers, applications, web sites and files.  Similar to how your key can get into the wrong hands and subject your home to an unwanted invasion, passwords can be guessed or learned by cyber criminals and give them access to your online valuables.  So to further secure your home, you can add additional locks with different keys.  An intruder now would have to acquire more than one key to easily break into your home.  For computers, we have two factor authentication which means in addition to something you know (password), you will also be required to have possession of a device such as a key fob or cell phone.  Additional restraints can be put on access by also requiring something that physically identifies you as you, such as a fingerprint or retina scan.  You can see how increased security can make it more difficult for the right people to access what is being protected which brings us to usability.

What is usability?  Usability defines how easy or difficult it is to use something.  Ideally, the easiest way to get into your home is to just twist the knob and walk right in.  This would be considered very usable and in fact completely tip the scale to the usability side and leave nothing on the security side.  Having to open five locks with 5 different keys would be much more secure, but very time consuming and possibly frustrating if you can’t remember which key fits which lock.

So by now you might be getting an image in your head of an old fashioned balance scale that is dipping back and forth, depending on how secure or usable a system is.

One method for having a secure and usable system is to require 2 Factor authentication, but automate the 2nd factor.  For instance, a browser add-on would have a mechanism for creating a security token that only it and the requested server will know how to process.  After the user enters their password when getting into the site, the browser will send the security token on the user’s behalf.  The user is happy because they only need to provide a password and the security officer is also happy because 2 factors are needed to access the site.

Single Sign On (SSO) can also be employed to balance the security and usability scale.  A user logs into an authentication server and is presented with a security token.  The other sites that the user then accesses do not prompt for additional logins because the security token is automatically delivered to the servers and the servers know how to process the token to authenticate the user.

Some environments may not be well suited for balancing security and usability and have to require very strong authentication before gaining access.  You’ve watched the scenes in the movies where three different people have to be in the same room with their physical keys and passwords in order to launch an end of the world nuclear attack.  But on the other hand you wouldn’t put any security on a public park where people can exercise and relax.

The balance point (or lack thereof) between security and usability is not going to be the same for everyone.  The goal is to understand what is being protected and how secure it has to remain.  Then the appropriate security mechanisms can be put in place.

Here are additional resources on this topic:

http://reports.informationweek.com/abstract/18/8643/Mobility-Wireless/informed-cio-striking-a-security-usability-balance.html

http://www.gfi.com/blog/security-usability-finding-balance/

http://www.schneier.com/blog/archives/2009/02/balancing_secur.html

Knock Down the Barriers: What Does Two-factor Authentication Solution Need to Have?

At the recent RSA Conference 2013 in San Francisco, one of the resounding themes was the expansion of authentication solutions. The idea of replacing the old password as a login method is one that is feverishly being worked on by many vendors. However the main struggle for vendors is handling the tradeoff between usability and security.

Matt Honan identified this after explaining that security has two tradeoffs, convenience and privacy. For example, if you implement a password policy which is unusable, the security solution fails and is abandoned or circumvented. Privacy also limits what an organization can leverage for two-factor authentication. Many organizations are terrified of alienating their users and like the idea of offering a simple, private solution versus a secure one.

Overall there is a lack of confidence in the marketplace as some of the leading solutions have experienced major hacks leaving behind doubts about the authentication methods being secure.

There is no “holy grail” solution for people to feel good about purchasing. It is unfortunate to see many organizations take the “it will not happen to us” approach because there is no simple answer to two-factor authentication.

When the question was posed “What do YOU need out of two-factor authentication?”, the common themes were that a solution needs to be:

  • Secure
  • Simple to use to avoid resistance from users
  • Inexpensive
  • Seamlessly integrated with all systems
  • Able to solve the provisioning/enrollment problem of tokens
  • Without the requirement of massive infrastructure
  • Easy to deploy and manage
  • Combined with single sign-on (SSO) for increased usability
  • Reliable
  • Using tokens which are easy to create, deploy, revoke, and replace

Luckily there are options emerging on the market which are attempting to provide the following. It is important to take a look at the options and be careful with vendor selection. Are you ready to take the next step and evaluate the vendors on the market?

References:
http://bitzermobile.com/blog-musings-from-rsa-2013/
http://blogs.technet.com/b/steriley/archive/2006/04/20/425824.aspx

Stronger authentication without end-user benefits?

A recent discussion on LinkedIn started by a PortalGuard team member got some great comments relevant to PortalGuard…

Discussion: Stronger authentication without end-user benefits?

I have heard that many companies view two-factor authentication as a burden to end-users and seem reluctant to move beyond username/password security. What may be interesting to these companies is that stronger authentication initiatives can be coupled with a sign-on benefits to achieve both security as well as usability enhancements. I’m wondering if it is a matter of a change in perspective? Could security professionals get more traction on security projects, that are desperately needed, if usability benefits (e.g. SSO) were more the focus of the business case when promoting these types of projects to senior management? Comments?

 Comment #1: It is absolutely true when introducing strong authentication, usability is hurt. I am sure we need to look into more usability enhanced security measure in two-factor authentication. but two-factor authentication itself looks stronger than password/chip pin security.

Comment #2: …your thoughts are interesting. But if SSO and multi-factor authentication are often coupled, I’m not sure the motivation are to boost strong authentication adoption. It’s more that SSO comes with its own security problems. Once authentication is gained, access to a wide range of applications is granted. The impact of a breach is thus potentially greater.

To minimize the risk (for in our field everything is risk related), one of the measures that has to be adopted is a stronger primary authentication. But it’s only one factor and it does not solve all the problems. Suppose I’m logged and have to go to the bathroom, if I forgot to lock my computer, anyone can gain access to all the applications covered by the SSO.

So we often leave critical applications out of the SSO system, and require a strong authentication to those applications. I’m not saying it completely defeats the benefits of SSO, but it can seriously undermine them.

So let’s keep in mind that while multi-factor authentication strengthens security, SSO generally lowers it. Their combination is sometimes positive and sometimes negative, depending on the context.

Now, this is the (somewhat) objective view. The most interesting part of your post is that security professional have to focus on usability benefits, whatever they are, to promote their projects to management. SSO is one aspect. More user friendly multi-factor authentication is another aspect.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Security Assertion Markup Language: SAML Profiles Explained

SAML is an XML based framework that allows for the generation and transmission of security information between parties that know of one another.   SAML is needed and used for allowing Web Based SSO outside of the intranet spaces.

Profiles are responsible for explaining how the SAML assertions, protocols and bindings are combined to support a specific implementation.  They define constraints and/or extensions for using SAML with a particular application.

SAML Profiles include:

Enhanced Client and Proxy (ECP) Profile: Specifies how <AuthnRequest> protocol messages are to be used with the Reverse-SOAP binding (PAOS). Used for mobile devices communicating through a WAP gateway

Identity Provider Discovery Profile: Service Providers use this profile to enumerate the Identity Providers a principal is using with the Web Server.

Web Browser SSO Profile: Specifies how <AuthnRequest> protocol messages are to be used with HTTP Redirect, HTTP POST and HTTP Artifact bindings.  Used for SSO from a Web Browser.

Name Identifier Management Profile: Specifies how the HTTP Redirect, HTTP POST, HTTP Artifact and SOAP bindings are used by the Name Identifier Management protocol.

Single Logout Profile: Specifies how HTTP Redirect, HTTP POST, HTTP Artifact and SOAP bindings are used within the SAML Single Logout protocol.

Name Identifier Mapping Profile: Specifies how a synchronous binding such as the SOAP binding can be used to support the Name Identifier Mapping protocol.

Artifact Resolution Profile: Specifies how a synchronous binding such as the SOAP binding can be used to support the Artifact Resolution protocol.

Assertion Query/Request Profile: Specifies how a synchronous binding such as the SOAP binding can be used to support the SAML query protocols.

Security Assertion Markup Language: SAML Bindings Explained

SAML is an XML based framework that allows for the generation and transmission of security information between parties that know of one another.   SAML is needed and used for allowing Web Based SSO outside of the intranet space.

There are a number of unique SAML Bindings and their responsibility is to map SAML request-response messages into other messages from different communication protocols.  This feature of SAML allows SAML to integrate with a wide variety of applications and technologies.

Another way of thinking about SAML bindings is to consider that they embed and transport SAML messages through various transport protocols.

Here is a list of SAML bindings, but not a complete set:

SAML SOAP Binding – Specifies how to get SAML message into SOAP messages (Simple Object Access Protocol).

Reverse SOAP (PAOS) binding – Allows an HTTP requester to act as a SOAP responder or process SOAP messages containing SAML messages.

HTTP Redirect Binding – Allows for SAML protocol messages to be embedded within URL parameters.

HTTP POST Binding – SAML protocol message are transmitted within the base64-encoded content within an HTML form.

HTTP Artifact Binding – SAML requests, responses or both are sent by reference known as an artifact.  This binding may end up combined with the HTTP Redirect and HTTP POST bindings.

SAML URI Binding – A Uniform Resource Identifier refers to a resource independent of the protocol being used.   This binding is the combination of an AssertionIDRequest message with an AsssertionIDRef message into a single URI.  Similar to SOAP, URI can be transported by multiple protocols.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169