Recent Developments in Simplified Sign-On

Introduction

Plain old authentication can be defined in many ways but perhaps the simplest and most relevant definition to most computer users is a security measure for checking a network user's identity. Even in today’s world of digital certificates and biometrics, authentication most typically takes the form of a username and password. Figure 1 shows a standard authentication process. Note that this is Basic authentication, wherein the Web server prompts for a username and password. Other common Web authentication types are Anonymous (no authentication required) and Integrated (currently logged in authentication details automatically checked to see if the user can access the resource). Simplified Sign-On is the concept of allowing users to move from one Web site to another on the Web without having to enter identifying information numerous times (see Figure 2). A person would enter, for example, a username and password, at the start of a network session, and this authentication information would be automatically passed to each Web site they visit thereafter. A network session might be when a user connects to the Internet or opens a Web browser. The rationale behind Simplified Sign-On is obvious; the growth of the Web has led to people having to manage a host of usernames and passwords for Web sites. An average Web user now shops online, pursues hobbies online, manages their bank accounts online, and communicates online using email, instant messaging and photo-sharing (Perry, 2006). The list is lengthy and almost all of these require authentication, usually in the form of a username and password. For many users, a single sign-on would be welcome. Listed below are some of the obvious benefits of Simplified Sign-On.

Figure 1.

Authentication on the Web

Figure 2.

Simplified Sign-On on the Web

• •

  More convenient for the user as they have to remember only one username and password.

• •

  Security issues reduced as the user should not have to write down the one username/password.

• •

  With only one authentication system, there is less chance of having the password stolen.

• •

  As the user has to logon only once, there is faster access to different sites.

• •

  There should be a continuous link to different sites.

• •

  The system is managed centrally.

As well as speed and convenience, Simplified Sign-On also offers improved security. Web users no longer have to remember and manage countless logons (making them more vulnerable to fraud) and organizations have less responsibility for the security and privacy of peoples’ authentication (and personal) information. The balkanization of today’s online identity-verifying systems is a big part of the Internet’s fraud and security crisis. Improving and maintaining people’s trust in the internet is critical to its survival as a useful, thriving entity (Talbot, 2006). Also, if authentication is consolidated in one session or authority, Web users only need to share their personal information once instead of giving numerous copies of that information to multiple third parties. This means greater privacy for users and less risk of personal information being accessed. Many companies have already encountered these issues on an organizational scale; workers use numerous systems and have to manage authentication for each of them. This causes a lot of inconvenience to users, I.T. resources are wasted resetting passwords and administering user accounts, and security can be compromised by users writing down usernames and passwords because they cannot remember them. As a result, many organizations have implemented Simplified Sign-On that allows workers (or students, or customers) to log in once, in order to access all the systems they use. Scaling up this kind of solution to something as vast and heterogeneous as the Web is a challenge.