Softwareentwicklung

Spring cleaning for effective account management

The author of this article is Lauritz Holtmann. Lauritz is a consultant on the subject of IT security and helps companies find and fix security gaps.

Content of the article

synopsis

The password chaos is caused by the use of many online services with separate accounts, which often leads to weak or repeated passwords. One solution offers single sign-on (SSO), which enables a consistent user experience through a single account. It allows seamless integration of third-party providers, without logging in again, and enables granular rights management. Login data is managed centrally, and services only receive temporary tokens, which increases security.

What causes password chaos?

In our daily work, we use a variety of different online tools for smaller and larger tasks. With one account for at least the ticket system, the company chat, the video conferencing solution and version management for software development projects or specialist applications, this is account chaos pre-programmed. For convenience, users with numerous independent accounts and logins quickly tend to choose weak passwords or even reuse passwords.

If I offer my customers several independent applications on one platform, such as a shop and a support site, but which do not use the same account and different login details, password chaos is even more inevitable.

The solution: single sign-on

Especially as a platform operator, the implementation of a central login provider offers numerous advantages. The biggest difference from a user perspective is obvious: The user experience appears consistent and seamless. Users only need one account for all services on the platform and (hopefully) use a single but strong password.

In recent years, single sign-on (SSO) has emerged as a widespread solution, both in private and business contexts. Everyone will quickly think of at least a handful of websites in a private context that support logging in via Google or Facebook. In the private sector, OpenID Connect (OIDC, based on OAuth) is mostly used, and in an enterprise context, the Security Assertion Markup Language (SAML) is often still traditionally used.

Traditional scheme with many passwords vs. one password for all services

Seamless third-party integration

The seamless integration of third-party providers makes it possible to switch between different services without logging in or registering again. This includes the following functions offered externally and internally:

  • Access to training materials
  • Non-public information, such as product announcements
  • marketing materials
  • Operating a support portal
  • Partner shops with affiliate conditions

There is a conceptual separation between authentication (Who is the user?) and authorization (What can the user do?) instead of. Among other things, this enables granular rights management, which allows you to define exactly which information a service provider has access to (e-mail, location, customer number...) and which functionalities can be used by users.

To increase security, user access data is managed exclusively on the central login provider. Service providers only receive short-term “tokens”, which are regularly renewed.

Better UX as no need to log in again on different applications

The extension is flexible because each new application is configured as a separate client at the login provider and can therefore usually be connected without programming and with little effort.