One Login, All the Cloud
MyOneLogin aims to bring back the glory days of single sign-on, without all the hassle. Having grown out of a company that originally provided SSO authentication systems on-site for millions of customers, many of which were financial service companies serving banks, the company knows a thing or two about authentication. Secure, bank-grade authentication, that is. After watching its customers turn around and use the technology to provide authentication services to banking clients, the folks at TriCipher, myOneLogin's corporate parent, thought that perhaps now was the time to start offering a secure SSO product.
The product, myOneLogin, has been available outside beta for the past year and is currently being used by a number of business customers, including Motion Media Solutions, Ingres, Ferrilli Information Group, and Comergence Compliance Monitoring.
myOneLogin is a hosted service that customers can use for their own systems without installing any additional hardware or software on-site or on their devices. Although the service can work with any behind-the-firewall browser-based application, its true potential is in providing SSO services to new hosts of cloud-based applications that are sneaking their way into the enterprise today. Applications like Salesforce, Google Apps, Zoho, Outlook Web Access, Yahoo Mail, WebEx, WordPress, Picasa, Amazon, and LinkedIn are just a handful of the hundreds upon hundreds of supported cloud apps.Essentially,
What's more, the service isn't limited to just "business" apps. Today, the line between what's for work and what's for personal use has blurred. Isn't Facebook just as much for business networking as it is for fun? When you book your airline tickets at Expedia for your business trip, don't you also return to book your vacation, too? With the myOneLogin service, all these applications - both business and personal - can be wrapped up together for secure SSO authentication.
How It Works
Without getting too technical, the myOneLogin service simply downloads a small marker to your computer or your internet-connected device the first time you go to use the service. This marker is nothing more than an encrypted cookie in most cases, unless the I.T. admin has specified that a browser certificate should be used instead. (With the certificate, the end user has to click "Yes, I accept" one time but the cookie is hidden from the user, requiring no action.)
Next, the system either asks you a series of security questions to verify your identity or the system can send a code to your cell phone, again depending on how your I.T. administrator has configured the service. Keep in mind this is only done the first time you use myOneLogin on a new device, not every time. You also have the option of going through these identity-verification steps for one-time use of a public PC, like that at an internet cafe or hotel business center. The system will confirm your identity, but won't install the marker on the computer.
To access your personal list of web applications, you visit a portal page provided by myOneLogin. The page can be entirely customized with the company logo, etc. as the business sees fit. Alternatively, the page can be used within an iframe so as to embed it into whatever portal the company already uses - like SharePoint, for example.
For applications like Google Apps, Salesforce, and WebEx, and some internally-used enterprise applications, SAML (Security Assertion Markup Language) can be used. SAML even works with a couple of VPN providers - Juniper SSO VPN and Microsoft's Internet Access Gateway. That's handy for companies wanting to support both internal and cloud-based applications. For other systems, myOneLogin acts as a password proxy, learning the username/password combination and then providing it to the requesting application.
When the time comes to remove a company employee's access to systems, the beauty of the myOneLogin system is that there's just one place this has to be done. Unfortunately, that's because the heavy lifting still needs to be done on the front end when provisioning access for the user. However, the system is so easy to use that it can even be self-provisioned by I.T. Alternatively, myOneLogin can do the provisioning for you. And fast, too. In fact, one large insurance company in California provided myOneLogin with a list of applications they wanted to make SSO-enabled, and when, the next day, they were all available on the portal, the company's security guy was amazed, saying "this cannot be that easy." But it is.
As far as infrastructure goes, myOneLogin hosted service runs as a single instance in a multi-tenant environment which allows them to provide the cost benefits of the Software-as-a-Service (SaaS) model with their customers.
The system is surprisingly affordable. It's only $3 per month per user. Considering that the average user accesses 12 or so web applications per month and has an overall cost associated with them at about $500 per month, says Jack Martin, a VP at TriCipher, "what's $3 then?"
As more companies continue to implement external applications which they don't have control over, I.T. is becoming concerned about security and control. What's more, many of these applications don't have secure authentication built-in. That's why Martin believes now is the time for a return to SSO - except now it's a cloud-based service designed for the cloud-based applications that businesses today want to use. That doesn't sound like too bad of an idea. What do you think?