Supplier's problems with passwords solved by single sign-on technology

By Ron Condon, U.K. Bureau Chief 27 Aug 2009 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

Users said they found it impossible to keep track of all the different passwords they had to remember, particularly since the company forced complex passwords with a mix of letters and numbers, and also changed them on a regular basis. Inevitably, most of the users resorted to writing passwords in notebooks or on sticky notes that they attached to screens. Those that forgot passwords flooded the help desk with reset calls.

The problems with passwords were nothing new. Users had been complaining about it for some years, but according to applications architect John Woodriff, there seemed to be no workable solution.

"We had looked at a number of solutions over the years, but they all seemed to cater for only one part of the problem," he said. "We have an awful lot of legacy applications, including some terminal-based ones going back 15 or 20 years, running on Digital VAX machines under VMS."

With different passwords needed for each application, users found it hard to retain the information without writing it down. In addition, most applications were programmed to lock down after three unsuccessful logins. "If that happened, they would have to phone the IT help desk, the call would be logged, then it would be passed to the admin guy for that application, who would reset the passwords and then go back to the user. That could take several hours, or a day if the system administrator was having a day off," he said.

The problem was crying out for some kind of single sign-on technology, but the broad range of applications had proved a major stumbling block. Then Woodriff came across Imprivata Inc., which offered a single sign-on (SSO) authentication system that was available both in software and as an appliance.

"Some of the features of SSO rang immediate bells with us. The system does self-enrolment, which means users can put in information about themselves, and use that private information to retrieve a lost password. They can dictate how many questions they want to use at enrolment, and the system will display three of these questions to get a webpage up to display their password," he said.

"So if they forget their password, they can go in via this webpage and get a reminder. It means they don't have to make an IT help desk call."

An initial trial of around 30 users was set up, and the company reviewed both the software- and appliance-based version of the Imprivata OneSign product. The decision was taken to adopt the appliance, which seemed better able to cope with the load Westinghouse would put on it.

Deployment, according to Woodriff, was "frighteningly easy."

To capture the profile of each application, the SSO system needs to be taught how each login screen works, where it expects the username and password to be entered, and how the application handles successful and unsuccessful logins, and changes of passwords. This is handled through a simple graphical user interface.

Using a Web interface, the appliance allows the systems administrator to capture the elements of each startup screen in a series of drag-and-drop actions to create the application profile. Woodriff estimated an application with a simple interface can be set up in around 30 minutes.

"Unfortunately, not all the applications have been that easy," he conceded. A couple of old legacy applications proved to be especially problematic, and it took a few days of support calls with the Imprivata support people before the root cause could be identified.

In one case, the implementation team discovered that an application took five screens before it got to the logon screen. "Basically, we had gone over Imprivata's buffer of screen scraping. All we had to do was extend the buffer and, bang, it worked. It took a while to find, a bit like a needle in a haystack. But we got there in the end, and we didn't have to change the application itself."

SSO success in hospitals The University Hospital of South Manchester NHS Foundation Trust is now using a single sign-on product to give doctors faster secure access to its healthcare applications.

Another application failed to confirm a successful change of password and went straight to the logon screen, thereby confusing the SSO system. That was solved by the insertion of an alert box to denote a successful password change.

Six months on from the start of the project, around 1,500 users are enrolled on the system, accessing 15 different applications. Westinghouse has two Imprivata appliances installed at its headquarter in Chippenham -- one is for redundancy, and another sits at a disaster recovery site in Euston, central London.

The same password policies apply to all the applications, and passwords are still regularly updated; the important difference is that users now only have to remember their single SSO password, and if they forget it, they have a means of retrieving it by themselves.

Most users authenticate themselves using their username and password, although the system allows other forms of authentication, such as fingerprint readers and a token that can be sent to a mobile phone.

Mobile users are also catered for by the system. "Mobile users who come in via VPN do not have to attach to the SSO server. They can be working from home, still log on, still have all their SSO, which is simply cached on the local machine," he said.

Most people have been pleased with the new single sign-on technology, although the user base, made up primarily of engineers, is not easy to impress, as Woodriff admitted. "We got a 98% positive response from users during the trial. One user couldn't see the point of it, but he only logged on to two applications," he said.

Some other users claimed the new logon process was slower than what they had before, but this turned out to be illusory. "We think that beforehand, they would switch on their machine and then go off and make a cup of tea while it was logging on, whereas now they were sitting and waiting for the process to happen."

Nevertheless, users can switch off the SSO module if they insist, but they are warned that if they do, and then they phone the help desk for a lost password, their names will be logged. Three strikes and they are back on the SSO system.

To help users get to grips with it, the IT department is creating instruction videos which can be viewed over the company intranet, but as Woodriff said: "We can't force people to read our online tutorials."

The acid test will come with the results of the next satisfaction survey, which Woodriff expects to receive soon. What he does know is that help desk calls are starting to come down, and that the system has caught the attention of other parts of Westinghouse's parent company, Invensys Rail Group (a division of Invensys plc). Some parts of the group in Asia have already followed suit, and he said the system is likely to be adopted in the U.S. as well.

For the future, it is a question of bringing yet more applications under SSO control. In addition, as Westinghouse is making greater use of virtualisation, Woodriff said that once Imprivata introduces support for VMware at the end of the year, this will enable him to reduce the number of OneSign appliances from the current count of three.

Tags: Secure User Authentication and Authorization,  User Identities and Provisioning,  User Password Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats User Identities and Provisioning Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Content-aware IAM: Uniting user access and data rights Microsoft Windows 7 DirectAccess pros and cons User Password Security Microsoft, security firms warn of password meltdown Single sign-on system removes password chaos at East Kent NHS Trust Brute force attacks target Yahoo email accounts The consequences of poor Microsoft SharePoint security permissions policies Unpatched vulnerability discovered in Microsoft SQL Server Social networks and spear phishing attacks How effective are password hack tools? How to protect employees' personal information and passwords Gartner: How to succeed at identity and access management Windows password security: System tools and policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary