Clients often ask me to advise them on reducing the number of passwords end-users need to use in order to access their account and applications. Their first approach, in order to avoid multiple passwords, is usually to ensure that passwords are synchronised over different systems.
This is certainly a valid approach, but is it always the best solution? This post focuses on the advantages and disadvantages of using a password synchronisation tool to reduce the number of login credentials. It also looks at the strength of Enterprise Single Sign On software as an alternative (Such as Tools4ever's E-SSOM).
Although password synchronisation solutions will reduce the number of passwords the end user needs to key in, a number of technical conditions must be met in order for the software to function effectively:
1. Password synchronisation applications (for example PSM (Password Synchronisation Manager) by Tools4ever) need to be able to know which accounts in each application correspond to which user in the enterprise directory (such as Active Directory). However, this is not always an easy process as many applications use different (manual) naming conventions or limit the number and/or type of characters in the user name.
2. Each application must allow an automated password change whenever a password is amended in Active Directory. This often requires a specific connector or API. The password complexity rules of the application must also comply with those of the central directory. However, many applications have limited password complexity rules and therefore weaker passwords would need to be used at Active Directory level in order for the password synchronisation solution to work. This kind of scenario is not ideal as it could lead to potential security issues.
In many cases the conditions above mean that a new project must be undertaken to make password synchronisation possible. This involves time, resources and may involve changing usernames and passwords for the end user which is just the situation that we are trying to avoid.
Enterprise Single Sign On solutions can offer a number of advantages over PSM software. Firstly, it is often easier to implement an Enterprise Single Sign On solution. Enterprise SSO solutions (specifically E-SSOM by Tools4ever) can recognise the login screens/events of applications and can automatically fill them out. The result for the end user can be even better than a successful password synchronisation as not only do they no longer have to remember different sets of login credentials, but they also do not need to key in logon credentials for each application.
In the case of Enterprise SSO Manager:
- The conditions (as specified above) for password synchronisation do not have to be met.
- Nothing has to be changed in the existing login/password structures.
- No API's or connectors are necessary to access application passwords.
- The solution will work with any type of application or mode of authentication.
As such, Enterprise Single Sign On solutions are often the preferred choice over Password Synchronisation tools. Personally, I find that if you only have one or two applications to synchronise and all the conditions have been met anyway, Password Synchronisation can be an excellent tool to use. However, if the conditions for password synchronisation are not met natively or if you are interested in 'synchronising' more applications, an Enterprise SSO solution like Tools4ever's E-SSOM, would be the better solution in terms of light implementation, scalability and resulting ease of use for the end-user.