Single Sign-on Overview
The Single Sign-on (SSO) standard allows user to access applications transparently without having to authenticate each time. In a typical web scenario, the users need to authenticate themselves to access restricted information on a computer or web site.
In the Single Sign-on (SSO) standard, the user will only have to enter their credentials once, the first time that they access the computer or web site. On subsequent log-ins, the same credentials will be used for accessing additional resources on the computer, web server, extranet or intranet. (Khurana, 2012)
The first step in the Single Sign-on process is the end-user entering their credentials and the validation of those credentials, which is called authentication. The rest of the applications will then use this authenticated session to obtain the user name, and will thereafter logon the user automatically. This second step of the process of obtaining the user name is called the identification. (Khurana, 2012)
Federated Single Sign-on
An Identity Provider (IDP) is the website or online service providing a security credential on behalf of a user, while the service provider (SP) provides a service or application, once the user has been authenticated. Some Sign-on systems are designed to only work when the identity provider and service provider are in the same organization.
Other systems will work even when the IDP and SP reside in another organization, these systems are said to implement Federated Single Sign-on. When a group of service providers and identity providers agree to work together this group is typically called a federation. Federated identity management (FIM) is the management and use of identity information across security domains, and relates to with issues such as interoperability, liability, security, privacy and trust.
Partners also need a standard way to send that message, such as one that uses the conventions of the Security Assertion Markup Language (SAML). SAML allows instant recognition of whether the prospective user is a person or a machine, and what that person or machine can access.
SAML documents can be wrapped in a Simple Object Access Protocol (SOAP) message for the computer-to-computer communications needed for Web services. Or they may be passed between Web servers of federated organizations that share live services. (Carr, 2003)
Identity federation is commonly accepted as the most effective way to gain assurance of the identity of persons external to an organization. In other words, organizations can recognize and accept a partner's own corporate-issued credential for access into the organization's applications. The organization receives the most up-to-date identity information about the partner, verifies the person's employment status, and avoids provisioning and maintaining credentials for these external users. (Nigriny, 2011)
In enterprise SSO, data resides in a secure location outside the user’s PC, primarily for user mobility, and the ability to deny or grant access remotely. There are essentially three basic architectures for making SSO information available such as logins, passwords and access rights.
The information is stored on a server that is dedicated to this task, and the client on the PC will query the server whenever necessary. This server is often duplicated for redundancy, although cache mechanisms on the PC can compensate for temporary unavailability.
In this scenario, software and hardware are packaged together, thus reducing deployment expenses. However, a downside to this technique is that we may not be able to add memory and storage on an appliance, as we would a server.
Using this method, SSO data is stored in encrypted form, in the directory that already exists in most companies. An example would be the Novell Directory Services (NDS) or Active Directory (AD) through which users access Windows. Utilizing the AD would not require us to install a server or appliance, as our users are already accessing the directory; as such our deployment expenditures are reduced.
ADFS allows the secure sharing of identity information between trusted business partners i.e. a federation across an extranet. When a user needs to access a Web application from one of its federation partners, the user's organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions. (Brown, 2006)
.The ADFS administration tool (adfs.msc) is provided as a Microsoft Management Console (MMC) snap-in. This administration tool is used to add account and resource partners, map partner claims, add and configure account stores, and identify and configure federation-aware Web applications.
Due to its’ simplicity and effectiveness, the password was the original authentication method. As long as the password was kept secret, then no unauthorized user could gain access to systems or applications. However, the proliferation of tasks that required passwords, and the requirement for end-users to remember many passwords, as well as the weakness of the passwords created by them, has rendered passwords a less than optimal means of authentication.
In response to the issues of the simple passwords, many entities implemented the use of strong passwords i.e. complex passwords that made use of numbers and special characters, in lieu of merely letters. However, these strong passwords were often too difficult for end-users to recall, with the result that there would be many calls to administrators to reset passwords.
ID tokens are small devices which generate numeric codes that validate user access for a limited time or a single use. Some ID token systems require that a challenge string is typed into the token before the passcode is generated, while others require a PIN be entered with the One-Time Password (OTP) for two-factor authentication. Other types of tokens, such as time-based tokens generate OTPs based on a secret key and current time, while event-based tokens generate OTPs by the press of a button on the device. (Imprivata, 2009)
There are two types of smart card, contactless, and contact. As the name implies, contactless cards do not need to make contact with a reader to be read, or swiped in a special slot, instead they utilize RFID technology, allowing them to be read at a distance. This contrasts markedly with a contact smart card, which communicates with the reader via direct physical contact.
Regardless of the type, both forms of the card have built-in intelligence, and can contain a variety of data for authentication and security. Smart cards cannot be tampered with, and they can perform multiple functions; a single smart card can serve as an employee ID badge, building access card, PKI credential store, and application password provider. Frequently, companies issue smart cards so they can be used not only for access control, but also to digitally sign e-mails, files or content to prove their authenticity.
Passive Proximity Cards
Passive proximity cards are contactless access control cards, and also provide authentication data via RFID technology. When a passive proximity card is waved near a card reader, the reader provides power to the card, and reads the data of the card to authenticate the identity of the cardholder.
Active Proximity Cards
The active proximity card consists of a radio transmitter, which is worn by the user that maintains communication with a receiver connected to the user’s workstation, when the user is in close proximity. When the user moves out of range of the workstation, the communication terminates and the computer locks.
Biometric devices authenticate users with something that is uniquely theirs, such as facial features, fingerprints, hand geometry, voice, retina, irises, et cetera.
Throughout our lifetime, our fingerprints remain constant, and there are no two fingerprints that are alike, even those of identical twins. Fingerprint identification involves comparing the pattern of ridges and furrows on the fingertips, as well as the ridge characteristics of a specimen print with a database of prints on file. When the user logs in, the device scans the fingertip and compares it to the data on file to complete the authentication process.
There are two common modes of fingerprint authentication; the first is fingerprint verification, which matches the fingerprint to the user after the user has provided a username, thus establishing a one-to-one match. In the second mode, the user presents a finger and is authenticated, which is considered a one-to-many match. (Technovelgy, 2012)
Hand geometry biometrics. Hand geometry readers can work in harsh environments, and unlike fingerprint readers do not require clean conditions. It is not regarded as an intrusive kind of test, and is often the authentication method of choice in industrial environments.
Signature. A signature is relatively simple to obtain, and is also not considered physically intrusive. Digitized signatures also may be used, but usually do provide sufficient resolution to ensure authentication.
Of the various biometric identification methods, face recognition is one of the most flexible, working even when the subject is unaware of being scanned. Facial recognition systems work by systematically analyzing specific features that are common to everyone's face, the distance between the eyes, width of the nose, position of cheekbones, jaw line, chin, et cetera. These assets are converted into numerical quantities, and are then combined into code that uniquely identifies each person.
The graphic below depicts the process of a utility digitizing an image to a database. In the “Bypass Model” section an exploit is shown that allowed an attacker to show a photograph to the computer, and to gain access.
For the exploit to work, the attacker must have hands-on access to your computer, and must present a photograph that is very similar to the one that was to “taught” to the computer. The researcher (Duc, 2009) asserts that this can be accomplished by obtaining an image from the Internet or taking a photo with a telescopic lens, and then using image processing software to duplicate the stored photo.
Retinal scanning. Similar to a fingerprint, the pattern of the blood vessels at the back of the eye render the retina very unique, and does not change throughout life. A downside to this method of authentication is that it requires upwards of 15 seconds of careful concentration to take a scan. Nonetheless, retinal scanning remains a standard in military and government usage.
Iris scans. Resembling a retinal scan, an iris scan also provides unique biometric data that is very difficult to replicate and remains constant for a lifetime. Also like the retinal scan, the iris scan is similarly difficult to obtain, however the iris scan biometric data can be encoded, and carried securely in a barcode format.
Voice analysis. Comparable to face recognition, voice biometrics provides a means to authenticate identity without the subject's knowledge. And though it may be faked by the use of a tape recording, it is not possible to deceive an analyst by imitating another person's voice. (Technovelgy, 2012)
As indicated by the table below, facial recognition technology had a low False Acceptance Rate (FAR) when compared with other biometric technologies. However, its False Rejection Rate (FRR) was fairly high according to the findings of two studies conducted by the NIST, FRVT 2006 and ICE 2006 Large-Scale Results. (Phillips et al, 2007)