http://www.thechromesource.com/understanding-single-sign-on-in-google/

Multiple outlets are reporting today that single sign-on is being rolled out to all Google users. But what does that mean? For starters, if you’ve ever been challenged with having to sign in and sign out of multiple accounts, this feature was built specifically for you.

A paper from Cormac Herley, a researcher at Microsoft, goes into detail about why users will never change their passwords regularly and why the entire password approach to security is fundamentally flawed.

However, there is one security concern that is often a weak link for Web-based applications, and that’s user authentication. If a user — legitimate or otherwise — presents the right credentials to the application, he can usually get right in. The application doesn’t know that the login ID and password were surreptitiously stolen with a keystroke logger, or phished via a social engineering scam, or used by an ex-employee who was fired last week. There are just too many scenarios that make a user ID and password insufficient protection for access to Web apps.

…Decouple the authentication process from your application and take advantage of the growing acceptance of standards like SAML andOpenID to let dedicated Identity Providers take on the responsibility of authenticating users.

Whether you use OpenID or SAML, the process is similar. Your application exchanges identity assertions with other applications, typically trusted identity providers or partners. The Identity Provider (IdP) authenticates the user. Your application is a ’service provider’ or identity consumer (the terminology varies with the protocol). It consumes or accepts the identity assertions of the provider. Your application only needs to maintain the list of the providers or partners that you trust when it comes to user identity.

Single sign-on solutions (SSO) have been developed to help with this issue. SSO systems enable users to log in once only and then be automatically authenticated when they attempt access to other resources. There are a number of technical solutions to this problem, each with its own advantages and disadvantages, including Kerberos, password management and password synchronisation. The reason for the number of solutions is down to the complexity of implementing each and the wide range of run-time environments where some solutions cannot be supported.

File this one under ‘how not to emplement web authentication’.

They have selected TriCipher’s myOneLogin service to provide strong customer/client authentication for its Web-based payment solutions.

Read the press release.

Some programs let companies manage employee passwords for applications inside and outside the firewall for as little as $3 per user per month. Such programs tout their ability to give workers a single sign-on, one login for access to their corporate network, e-mail, and applications.

If you’re concerned that your employee’s passwords may be too weak, here’s a good article to read.

Industry analyst Gregg Kreizmann, of Gartner Inc., says small companies are increasingly turning to such “single sign-on” tools, which are also made by TriCipher Inc. and Arcot Systems Inc., to help manage and control access to popular software-as-a-service applications such asSalesforce.com and Google Apps. These single-sign-on tools typically cost $1 to $3 per employee per month, and can make it easier for small companies to move from passwords to stronger access methods, such as one-time codes that are sent to mobile phones, which TriCipher provides using technology from VeriSign Inc.

Here’s the full article on protecting your company’s data using a single sign-on solution.