Two Sides of Single Sign-On

4:25 PM -- When Oracle announced its new suite of single sign-on (SSO) tools last week, it raised a debate that has been raging since the first SSO technology was unveiled more than a decade ago. (See Oracle Spurs Single Sign-On Surge.)

The question is simple: Is it a good idea to allow users to access multiple systems with a single password?

The arguments on both sides are compelling. On the pro-SSO side, there is the beleaguered helpdesk (or security admin), which spends an average of 30 percent of its time resetting passwords. In an environment such as Oracle's, where a user may log onto more than half a dozen different applications in a very short timeframe, password management can be an absolute nightmare.

Giving users a common logon for all of their systems can reduce administrative costs and free up the helpdesk to do real troubleshooting, SSO proponents say. It can also increase productivity, and it may actually improve security by eliminating the need for yellow stickies or easily-hackable "password files" stored on the end user's computer.

But SSO users may also be putting all of their eggs in one basket, critics say. Even if a company implements strong, multifactor authentication, an attacker with the right information could infiltrate not one, but a dozen different applications and systems, effectively cutting a much wider path than they could have if they'd been limited to a single system.

These SSO critics are saying that it's inherently safer to keep access and data decentralized, on a variety of systems, than to potentially give an attacker access to a centralized system. It may be a pain to manage, they say, but it's a more secure approach.

Here at Dark Reading, we see merits to both arguments. Where do you stand? Give your opinion on the message board attached to this blog. We'll collect up the opinions, and if we get enough of them, we'll report on what we found out in a subsequent story.

(Editor's note: Please use the message board, and don't write us directly via email. We'd like all of our readers to see the responses. All postings are completely anonymous.)

— Tim Wilson, Site Editor, Dark Reading