Hello, SSO. It’s me, authentication

June 8, 2015 3 minute read

There’s a secret that single sign-on (SSO) never talks about. It’s called authentication.

The SSO conversation starts without mentioning the assumption that the user is already logged in. A login that requires a password. Instead, SSO is quickly positioned to triumph over the dangers of weak and reused passwords.

Many times, however, those same suspect passwords are the ones used for the initial authentication into the SSO environment.

Authentication is actually SSO’s most critical gatekeeper for a user’s identity. If the authentication password is stolen, all the user’s identities associated with that federated service are exposed.

Password policies, crazy character composition guidelines, and x-day expiration dates are the techniques enterprises typically use ﹘ with varying degrees of success ﹘ to get users to create passwords deemed strong enough for authentication to the SSO environment.

It’s within this scenario that Yubico has entered into a partnership with Ping Identity, a leader in the SSO and federation ecosystem, to create strong two-factor authentication for those critical and initial logins.

The one-time password (OTP) functionality of the YubiKey is integrated into PingID, a multi-factor authentication engine within the company’s flagship cloud identity service, PingOne.

So even if a user’s password is phished or stolen, a hacker is unable to access the user’s SSO environment without also having the user’s physical YubiKey. In addition, the Yubikey is not vulnerable to man-in-the-middle attacks that plague SMS phone-code solutions.

PingOne users now have the option to add hardware-based, two-factor authentication to secure primary logins to Ping Identity’s cloud SSO environment. There are plans to integrate YubiKeys with other components of Ping Identity’s recently unveiled Identity Defined Platform, which includes PingFederate and PingAccess. Soon privileged accounts in the Ping Identity environment also will be covered under this OTP security blanket, further protecting specific enterprise accounts.

The USB-based YubiKey is one-touch protection for all applications protected by SSO and federation. It’s a hardware authenticator that doesn’t require a battery or the installation of any client software. By design, nothing can be written to the YubiKey, so malware can’t be loaded onto it.

Support for OTP is included on the YubiKey Standard and Nano, YubiKey Edge and Edge-n, and the YubiKey NEO and NEO-n.

In addition, the YubiKey is not a single purpose device. Both the YubiKey Edge and YubiKey NEO offer support for multiple authentication options, including the FIDO Alliance’s U2F protocol. The YubiKey NEO and YubiKey NEO-n have other capabilities such as a PIV-compliant CCID smart card and OpenPGP (for code signing, etc.). The YubiKey NEO also supports NFC for logging on to mobile applications.

Share this article:

Recommended content