Occupational Health News — Enterprise Health

Security best practices: single sign-on & multi-factor authentication

Written by Enterprise Health | Feb 18, 2020 4:00:00 PM

Ever heard of “password fatigue?” Maybe not, but you’ve probably experienced it — that overwhelmed feeling you get from having too many passwords to remember. Work systems, banking, email, your personal health records, all the retail sites you shop, and if you’re a caregiver of children or elderly parents, you probably have passwords to remember for them as well. 

 

In an effort to simplify our lives, many of us try to come up with some way to manage all of these passwords. Some of us resort to writing them down. Others fall into the trap of using the same or similar password over and over again. These kinds of practices increase security risks both at work and at home. Plus, they really make our IT friends sweat.

 

The solution to password fatigue is Single Sign-On (SSO) which uses a central Identity Provider to authenticate users so that they can access multiple applications with just one login. SSO ensures that applications such as Enterprise Health do not even see the password. Instead, applications (called Service Providers) rely on the SSO Identity Provider to validate the user and pass on a claim (via an Assertion) that the user is credentialed. 

 

If you are an authorized Enterprise Health user, you are probably familiar with the concept of SSO because that’s how we manage authentication. You are logged directly into the application from your corporate network. In the background, we work with your organization’s access management systems to handle the log-in process. Once you prove who you are to them, we grant you access. It’s great for productivity, reduces the risk of forgotten passwords and allows your organization to quickly enable or disable user access to multiple systems as employees come onboard, leave the organization, or change positions. SSO also makes it easier to maintain compliance by creating a clear trail of who is accessing what and when at a corporate level.

 

There are several different Identity Providers protocols: OpenID, Security Assertion Mark-up Language (SAML), JSON Web Token (JWT), Active Directory Federation Services (ADFS). Also, there are many companies operating Identity Management solutions. Microsoft’s Active Directory is the most popular in the enterprise space, but many exist over the Internet, too. Google, Facebook, LinkedIn, Apple and many more offer Identity Management tools. All are designed to create seamless and secure sign-on experiences for users.

 

There are also several simple things you can do to make your information more secure. Google suggests 5 Simple Steps to strengthen your online security — a good read for all. One of the steps is to add a recovery phone number or email to your account. In fact, not long ago Google teamed with researchers to determine how effective certain actions are in preventing account hijacking. Their research shows that adding a recovery phone number to your Google account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during their investigation.

Another way to boost security is to add Multi-Factor Authentication (MFA), which requires you to take an additional step each time you log into your account. This practice is becoming more common and is an easy way to prevent someone from gaining access to data and systems.

 

At Enterprise Health, we support and encourage the use of MFA, a security method we use ourselves. MFA might come in the form of receiving an SMS code to your mobile phone or use of a security key. At Enterprise Health, each employee is assigned a YubiKey that plugs into his or her computer. Once plugged in, a simple touch on the key’s touchpad authenticates the employee and grants access. 

 

SSO and MFA are two security best practices to help protect valuable data and systems from unauthorized access. Check back next week when we will provide a few tips on how to create strong passwords. Hint: it may be completely different than what you’ve heard over the last 15 years!