In previous blog posts in this series, we talked about many ways to intelligently determine the right level of assurance for users gaining access to specific resources. While much of the goal is to minimize interruptions in the user experiences for authentication, there are many times when the user needs to interact in some way to prove they are who they claim to be. The final two key components to an identity assurance strategy are focused on this user experience. The first of these topics is the importance of a consistent experience.
Enterprise users access many types of resources, including internal web apps, SaaS apps, VPNs, thick client apps and mobile apps. They access these resources from multiple corporate, personal, and shared devices. With all that variability, how can we ensure there is a consistent authentication experience across all user access points? Delivering a consistent experience can:
- Reduce helpdesk calls
- Increase user productivity
- Improve user experience and satisfaction
The Role of Single Sign-On (SSO)
SSO is one key instrument in providing a seamless user experience. Enabling SSO gives users a consistent experience in authentication across applications. And while it can reduce poor password management because users have to remember only one password, SSO alone is primarily a tool of convenience more than security. However, when SSO is implemented along with an authentication solution that effectively enforces context and risk rules and policies, we can enable SSO convenience with the additional security of identity assurance. Most SSO providers include some type of two- or multi-factor authentication (2FA and MFA) capabilities. However, the basic 2FA and MFA abilities of these solutions typically fall short of the identity assurance capabilities. Additionally, when thinking about an identity assurance strategy, we want to think beyond applications protected by SSO.
What About the Other Apps?
While many organizations have an SSO solution, these same companies have additional applications that are not integrated with that solution. There are many reasons for this:
- The SSO solution is optimized for cloud applications which leaves out on-premises applications;
- The SSO solution may be a legacy web access management (WAM) solution, and in that case, all the cloud solutions may not be integrated or users may need to log into the VPN first to access the WAM; and,
- VPNs, thick client apps, etc. are often not part of SSO.
The reality is there are always resources important to your business that are not part of your SSO solution deployment. Just because these applications are excluded from SSO does not mean they should be excluded from your identity assurance platform. The authentication experience should remain consistent for these apps as well. The more resources protected by the same user authentication experience, the lower cost and better experience you can provide. Users don't care if it's a RADIUS client, some type of Agent, or a SAML integration. They also don't care whether the application they're accessing is in the cloud or in a datacenter. These are problems for IT and solution providers. It's the job of the identity assurance solution, and those administering it, to ensure that regardless of the back-end technology, the user experience is simple and consistent while maintaining the required security posture.
Putting It All Together
End users are focused on getting to the information they need to do their jobs. If the authentication interaction is inconsistent across the breadth of their applications, the user can easily get confused, frustrated, and lose productivity. By offering a consistent experience, regardless of the application, we can remove authentication issues while reducing helpdesk costs. While consistency is really important for these things, flexibility is equally important to keep things easy for users. In our last blog of this series, we'll discuss the importance of flexible authentication. In the meantime, I invite you to review the first 4 keys to successful identity assurance covered in previous posts in this series: business context, anomaly detection, machine learning, and broader ecosystem.
Author: Jason Oeltjen
Category: RSA Fundamentals, Blog Post
Keywords: 2FA, Authentication, Identity Assurance, MFA, RSA SecurID, Six Keys