Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.
Environment
Situation
Issue
SSO Administrator want to SSO enable 20 applications. However, application owners were concerned about people walking away from their desk and someone other than them walking up to their workstation and accessing applications.
They make the point that without SSO, the user (and an unauthorized person) would have to start the application they wanted to access and enter the username and password when prompted. They would have had to know or guess the password.
SecureLogin will automate this process by retrieving and entering credentials when the application is launched so the application logs on automatically if the screen isnt locked.
Can this issue be addressed?
Resolution
Cause
SecureLogin makes it easier for users to logon to application because it doesnt prompt them (by default) to reenter their usernames and passwords. If no extra security is enforced, it is possible an unauthorized person may run an application if a user walks away from their workstation without a screen lock or some re-verification active.
Solution
A number of options are available to solve this problem. With any SSO solution, it is essential you enforce a password protected screen saver that can also be activated with a few mouse clicks or movements (e.g. Hotspot available free from the web).
You should also consider using Advanced Authentication Services, which uses multi factored authentication to establish proof of identity. You can choose which applications require re-verification and which will log on immediately.
For example, if a user walked away from their workstation, anyone who launched an application that had been configured for re-verification would be prompted to re-verify (e.g. Smartcard/PIN, fingerprint scan or token) before SecureLogin would retrieve the underlying application username and password and logon to the application, even if the workstation wasnt locked with a screen saver. This is possible without touching the application or application servers at all.
SecureLogin Advanced Authentication provides this functionality and is fully integrated with SecureLogin SSO.
Another option is to use virtual password synchronization. With virtual password synchronization, if a user walked away from their workstation, anyone who launched an application that had been configured for re-verification would be prompted to re-verify using their network (e.g. ADS) password before SecureLogin would retrieve the underlying application username and password and logon to the application, even if the workstation wasnt locked with a screen saver. This is possible without touching the application or application servers at all.
With virtual password synchronization, all the backend passwords are still different so you dont have the security holes that appear when you make all passwords the same, but from the users point of view, they only need to remember their network password to logon to applications.
Because SSO remembers the application passwords, they can be strong and complex and automatically changed when they expire without user input. This means users do not know their application passwords and can not write them down or share them.