The keys to the kingdom

I was having a discussion with somebody a few weeks ago about the inconvenience of logging on to systems multiple times. I’m sure it’s a conversation every identity guy has had many times. To my surprise, this one person made the point that he didn’t find it particularly burdensome.

It turned out that his company had put password sync in place for all the applications he used. They’d also gone to the enormous trouble of ensuring that as many of the systems as possible used the same username.

This isn’t single-sign-on. He still had multiple sign-ons to perform.However, whenever he sees a username/password dialogue, he has no doubt what he should type in to it. It takes seconds and is no big deal.

I asked him how he’d feel if he didn’t have to log in to all these systems at all. If he just had to enter one username and password for everything. Now in the scheme of things, both approaches – password/username sync and SSO give the attacker the keys to kingdom once they find the username and password (and that’s a topic for a different blog entry). So the security risk is very similar (and I’m sure many will find subtle and esoteric arguements against that notion), however it was his personal attitude that struck me. “Each time I have to log in to a system, it’s a little reminder to me that I’m dealing with something important. If you took that away, I think I’d take my personal resonsibility to protect the information I work with less seriously – even if it’s always the same username and password”.

He clearly thought the absence of SSO promoted a clearer sense of personal responsibility for him. He liked the fact that it was easy to remember the username and password, but also liked the gentle reminder “you have to log in because you’re doing something important with this data”. SSO would erode this feeling for him over time. And for what particular level of inconvenience?

It’s something I’d love to survey more users with. Those who have implemented consistent-sign-on. How inconvenient is it to enter a consistent username/password?

From an architectural elegance point of view, it’s very ugly. It doesn’t sit neatly with us to have something so loosely coupled. But do those extra few moments every day really make any difference to an organisation’s overall efficiency? And in fact, does that incovenience have the effect of increasing the organisation’s data security because its staff take the data more seriously?

I doubt I’ll ever get the opportunity to study this any deeper – unless a reader wants to fund some research?

 Perhaps there is some existing research – anybody?



0 Responses to “The keys to the kingdom”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: