Website Authentication Best Practices | Single Sign-on and the Human Factor

Single Sign-on

There is an interesting divide between how we perceive authentication (proving some aspect of one’s identity), in the physical world versus the digital world. Consider all the ways that you prove your identity in the “real world” through the course of a normal day:


  • A key unlocks and starts your car
  • A garage door opener allows access to a garage
  • An ATM requires both a card and PIN code to withdraw money from your account
  • An orange apron you don at work signals to customers that you’re an employee that can help them find something
  • A grocery clerk checks the birthdate on your license to ensure you’re old enough to purchase wine or beer. Perhaps they didn’t “card” you at all because your physical appearance strongly suggests you’re old enough.
  • They also match your live signature against what is on the back of the credit card that you used to make the purchase
  • A pharmacist requires your driver’s license or home street address to pick up a prescription
  • Your dog doesn’t bark when you come home because he recognizes the sound of your car and footsteps coming up the stairs


We all put up blinders for these things because we’ve been trained to expect them. We don’t stop to consider these steps because we’ve put together a mental single sign-on solution for our own personal identification.

Digital Representation and Authentication

For all their power and complexity, computers (and the web sites we visit on them) are exceedingly ‘dumb’. I’m sure you’ve caught yourself asking: Why do they always require us to enter a username and password? Well, just look at the fact that ANYONE in the WORLD with an Internet connection could be accessing that particular website. The sheer scope and number of potential imposters is much larger than what your local bank, grocery stores and pharmacies have to deal with. In the physical world, visibility and context between devices and individuals is a wide-open, easily observable vista.  When it comes to the digital world, these interactions are collapsed down to a single network connection of digital pulses between servers. The observation and determination of potential threats is much more difficult in this setting.

I’m sure that you have multiple websites on which you’ve saved your credit card information.  These days, everybody is doing it.  Aren’t you just a little bit glad that these websites have slightly more strict authentication requirements than others? Would you give that confidential information to your friends or business associates? Not without making sure you can trust them implicitly.

So many of the items in the list above rely on information rooted in the physical world; be it a key, card, signature, appearance or sound. Steps and methods have been created to leverage some of these for digital access, but the costs are too steep to implement them for the billions of people that use millions of websites. As such, computers are seriously hampered in this regard because the threats are so widespread and can strike with blinding speed.

A Single Sign-on Solution

Allowing computers to perform ‘implicit’ authentication can be a tremendous help.  In this case, ‘implicit’ simply refers to something the user doesn’t need to do explicitly or manually.  Single Sign-On helps prevent users from making ill-advised choices like re-using passwords for multiple sites or meeting the bare minimum for password complexity.  A recent article on Info Security Magazine cites a Verizon report stating nearly half of security incidents are caused by user error. The same report is cited by TechWeek Europe that two-thirds of breaches last year were due to weak or stolen passwords. This is attributable to the divide or lack of awareness humans have with regards to digital authentication.  Simply put, the employer training and any public service announcements have not worked.  Is it any wonder when digital tomes that boil down the basics of authentication and Single Sign-On still run hundreds of pages in length?

Computers automate so many tasks in the 21st century, why not allow them to securely perform implicit authentication for each of us? Humans are not equipped to secure themselves in the way that today’s digital landscape requires.  Going forward, we will need assistance from our own computers that we each maintain and trust.  Think of these as digital shepherds that we must also do our best to keep healthy by using things like anti-virus software and firewalls. Using a single sign-on solution that is available only after a single, strong authentication will allow our shepherd to not only do its work securely on our behalf, but it also frees us to pursue our more humane endeavors.


For more information please visit PortalGuard’s page on Single Sign-On best practices or visit our home page and live chat with a representative to discuss how you and your company would benefit from Single Sign-On.

Tags: Authentication Security, #cybersecurity, #HumanFactor, #infosec, IT Security, PortalGuard, #security, SSO, Password Security, Single Sign-On, Single Sign-On (SSO), User Authentication

Gregg Browinski

Author: Gregg Browinski