Single Sign On in Access Control

What is single sign on (SSO) and how does it work? Can it be implemented in access control to streamline the process of unlocking doors?

Share this article

What is Single Sign-On?

Single sign-on is a system property or an authentication service that enables the use of the same username and password across several applications. Once you input your login credentials with the central service provider, you have been authenticated and got access to all applications running in the same session. As long as you remain signed in to the central software, you won’t be receiving any more prompts to enter your credentials into the connected applications again.

An average user logs into 10 apps a day and almost 30 apps a month on a mobile phone only. Add to that countless web-based services, and the number gets even higher; not to mention services you need to use if you work with computer networks as a system admin, as a developer, or if you need to manage multiple client accounts. SSO makes this work simple as it saves the time needed to re-enter credentials while you navigate between applications. An ideal SSO would let the user get to any machine and get access to all applications he uses and is linked to the system, from anywhere in the world.

One very popular single sign-on is a Google account. When you are logged into a Google account, you get automatic access to other Google products connected to that account. The central account service will give you access to YouTube, Analytics, Drive, Maps, and the rest of the products that are Google-serviced. Even if you only signed up for Gmail, the account will store the cookies and use them for further validation with the rest of the services. Google SSO is a safe way to grant access to all platforms, as the authentication process is valid for an Android phone and for web tools.

The technology behind SSO can vary. A single sign-on can be executed via several protocols. The most common protocols are:

  • LDAP (Lightweight Directory Access Protocol), used to locate files and devices on the Internet.
  • Kerberos, based on a ticket-granting ticket (TGT) service.
  • SAML (Security Assertion Markup Language) an XML standard for the secure exchange of user authentication and authorization data across domains

It is important to make a difference between single sign-on and single credentials or Direct Server Authentication (DSO). SSO provides access to a number of applications by seamlessly passing the authentication token. In DSO, the system asks for authentication for each application but uses the same credentials from a directory server.

Access Your Office the Modern Way

Discover why thousands of companies run on Kisi.

How Does It Work?

Single sign-on is part of a federated identity system. It is the element associated with authentication. SSO establishes that the user claiming access is who he says he is, consequently sharing the information provided to each connected software in need of the user data for authentication purposes.

SSO functions like a key to a cookie bank for the authenticated domains. It circumvents the “same-origin policy” for sharing cookie information, enabling sharing session information across domains. In this way, all users of the same SSO-authenticated software get automatic access to the domains.

Here is how the typical step-by-step SSO process looks like on a centralized authentication server, which can be either a corporate or a third-party solution.

  1. User logs into the application that uses SSO for the first time and requests access
  2. The authentication server looks for an existing session
  3. Since it won't find one (user didn't log into the server before) the server returns a request for user credentials
  4. User enters and sends credentials (it can be multifunction authentication or just a single password)
  5. Central server makes a record of that session
  6. Send back the access token to the user

The next time the user logs into SSO-supported applications, the centralized authentication server will find the previous session and immediately share the access token without searching for credentials for each separate application.

What Are the Opportunities of Expanding SSO to Physical Space Such as Door Security?

Although some users consider the single sign-on authentication risky, there are improved methods for sharing access information that makes SSO applicable to access control, making the best of its benefits. For example, the shared secret method has better security attributes than its predecessors, which enhanced by the SHA1 digest of a shared secret.

Single sign-on limits risks from storing external passwords, creates a user-friendly password system, and is a timesaver for both IT support and staff.

The initial sign-on prompts can be stored on a smart card, that can be later used to grant access to multiple applications. Smart cards are widely used in electronic access control systems as a popular alternative for large companies with a numerous workforce.

Modern encryption methods enable the use of SSO authentication schemes on mobile devices. The mobile can then be used as an authenticator for electronic access control in buildings, as well as for computer access. Each user can rely on the smartphone as a single authentication device for multiple applications, letting him pass unimpeded through physical security impediments and computer security requirements.

A smartphone can be the main “key” to get safely into any secluded storage space you use for valuable objects, data or information.

How Does Single Sign-On Authentication Extend to the Physical Realm?

This identity management method helps people log into websites and online portals — and it also applies to material objects. Convenience is one of the main advantages of SSO, including its flexibility in securing physical items.

For example, homes and businesses around the world use Internet of Things (IoT) devices. However, those gadgets are often left unsecured, leaving them vulnerable to hackers' exploits. Identity management can have some significant privacy gaps, especially when it comes to IoT devices. One smart way to address them is to enable a single sign-on option.

Whenever a person uses a connected gadget with SSO, the system must first verify their credentials. SSO can also make things easier for smartphone users. In 2018, some of the major U.S. telecom companies joined forces to bring SSO to smartphones. That setup, known as Project Verify, examines some digital credentials such as an IP address, as well as a physical component — the SIM card.

SSO access can also apply when an employee brings a device from home they want to use at work. SSO systems usually have cloud-based interfaces, where an authorized user can log-in and grant or deny access to a person on a particular device. Such options also make it convenient if a workplace wants to restrict the access of certain devices but not others, such as smartphones that are too old to work with the latest security upgrades.

Outside of the workplace, SSO makes things easier for people who use tech gadgets at home. For example, Amazon's Fire TV set-top box has SSO. Through this approach, people can sign in with their cable TV provider logins once to access all the network apps included in their package.

What Advantages Does the Single Sign-On Approach Give to IT Departments?

SSO for identity verification saves time and headaches for the people who work in IT departments and may spend significant amounts of time every day responding to password reset requests from frustrated employees. SSO makes the verifying entity takes care of all password resets instead of someone in a particular workplace having to do it.

It's easy to see how this streamlines things during someone's onboarding process or when they leave the company, too. Instructing a new hire to create one set of login credentials is undoubtedly more straightforward than requiring them to go to every tool a business may need them to use and making usernames and passwords for each one.

Then, if a person leaves a company, the IT department can go into the respective cloud interface and disable the person's access from everywhere at once. Having that capability eliminates an IT staff member from forgetting to revoke access privileges in at least one place, enabling the former employee to keep getting into platforms without authorization.

Are There Downsides to SSO Access?

Despite SSO's many perks, no system is perfect. Security researchers say SSO's growing popularity caused an increase in cybercriminals creating fake versions of login screens.

One way to avoid that kind of phishing is to also set up two-factor authentication (2FA). Then, even if a hacker gets the login and password, they still can't enter the system because they won't have the other piece of information — such as a text message code — that completes a person's login process.

Also, if a person loses their SSO combination, they're locked out of all applications instead of one. This downfall could be especially inconvenient if they work remotely or otherwise can't seek immediate help to restore their access.

The Single Sign-On Approach Makes Sense for Today's World

After learning more about SSO and the reasons for using it, you can see why the method is so popular. With SSO, you no longer need to remember a humongous list of passwords, and your accounts will remain secure.

Starting a new project?

Learn everything you need in this downloadable guide.

Related articles