Supplier's problems with passwords solved by single sign-on technology

A single sign-on product came to the rescue and saved a rail supplier's company from "password hell."

The last time the IT department of the supplier Westinghouse Rail Systems Ltd. carried out a user satisfaction survey, the response was unequivocal: "Save us from password hell."

Users said they found it impossible to keep track of all the different passwords they had to remember, particularly since the company forced complex passwords with a mix of letters and numbers, and also changed them on a regular basis. Inevitably, most of the users resorted to writing passwords in notebooks or on sticky notes that they attached to screens. Those that forgot passwords flooded the help desk with reset calls.

The problems with passwords were nothing new. Users had been complaining about it for some years, but according to applications architect John Woodriff, there seemed to be no workable solution.

"We had looked at a number of solutions over the years, but they all seemed to cater for only one part of the problem," he said. "We have an awful lot of legacy applications, including some terminal-based ones going back 15 or 20 years, running on Digital VAX machines under VMS."

With different passwords needed for each application, users found it hard to retain the information without writing it down. In addition, most applications were programmed to lock down after three unsuccessful logins. "If that happened, they would have to phone the IT help desk, the call would be logged, then it would be passed to the admin guy for that application, who would reset the passwords and then go back to the user. That could take several hours, or a day if the system administrator was having a day off," he said.

The problem was crying out for some kind of single sign-on technology, but the broad range of applications had proved a major stumbling block. Then Woodriff came across Imprivata Inc., which offered a single sign-on (SSO) authentication system that was available both in software and as an appliance.

"Some of the features of SSO rang immediate bells with us. The system does self-enrolment, which means users can put in information about themselves, and use that private information to retrieve a lost password. They can dictate how many questions they want to use at enrolment, and the system will display three of these questions to get a webpage up to display their password," he said.

"So if they forget their password, they can go in via this webpage and get a reminder. It means they don't have to make an IT help desk call."

An initial trial of around 30 users was set up, and the company reviewed both the software- and appliance-based version of the Imprivata OneSign product. The decision was taken to adopt the appliance, which seemed better able to cope with the load Westinghouse would put on it.

Deployment, according to Woodriff, was "frighteningly easy."

To capture the profile of each application, the SSO system needs to be taught how each login screen works, where it expects the username and password to be entered, and how the application handles successful and unsuccessful logins, and changes of passwords. This is handled through a simple graphical user interface.

Using a Web interface, the appliance allows the systems administrator to capture the elements of each startup screen in a series of drag-and-drop actions to create the application profile. Woodriff estimated an application with a simple interface can be set up in around 30 minutes.

"Unfortunately, not all the applications have been that easy," he conceded. A couple of old legacy applications proved to be especially problematic, and it took a few days of support calls with the Imprivata support people before the root cause could be identified.

In one case, the implementation team discovered that an application took five screens before it got to the logon screen. "Basically, we had gone over Imprivata's buffer of screen scraping. All we had to do was extend the buffer and, bang, it worked. It took a while to find, a bit like a needle in a haystack. But we got there in the end, and we didn't have to change the application itself."

SSO success in hospitals

The University Hospital of South Manchester NHS Foundation Trust is now using a single sign-on product to give doctors faster secure access to its healthcare applications.

Another application failed to confirm a successful change of password and went straight to the logon screen, thereby confusing the SSO system. That was solved by the insertion of an alert box to denote a successful password change.

Six months on from the start of the project, around 1,500 users are enrolled on the system, accessing 15 different applications. Westinghouse has two Imprivata appliances installed at its headquarter in Chippenham -- one is for redundancy, and another sits at a disaster recovery site in Euston, central London.

The same password policies apply to all the applications, and passwords are still regularly updated; the important difference is that users now only have to remember their single SSO password, and if they forget it, they have a means of retrieving it by themselves.

Most users authenticate themselves using their username and password, although the system allows other forms of authentication, such as fingerprint readers and a token that can be sent to a mobile phone.

Mobile users are also catered for by the system. "Mobile users who come in via VPN do not have to attach to the SSO server. They can be working from home, still log on, still have all their SSO, which is simply cached on the local machine," he said.

Most people have been pleased with the new single sign-on technology, although the user base, made up primarily of engineers, is not easy to impress, as Woodriff admitted. "We got a 98% positive response from users during the trial. One user couldn't see the point of it, but he only logged on to two applications," he said.

Some other users claimed the new logon process was slower than what they had before, but this turned out to be illusory. "We think that beforehand, they would switch on their machine and then go off and make a cup of tea while it was logging on, whereas now they were sitting and waiting for the process to happen."

Nevertheless, users can switch off the SSO module if they insist, but they are warned that if they do, and then they phone the help desk for a lost password, their names will be logged. Three strikes and they are back on the SSO system.

To help users get to grips with it, the IT department is creating instruction videos which can be viewed over the company intranet, but as Woodriff said: "We can't force people to read our online tutorials."

The acid test will come with the results of the next satisfaction survey, which Woodriff expects to receive soon. What he does know is that help desk calls are starting to come down, and that the system has caught the attention of other parts of Westinghouse's parent company, Invensys Rail Group (a division of Invensys plc). Some parts of the group in Asia have already followed suit, and he said the system is likely to be adopted in the U.S. as well.

For the future, it is a question of bringing yet more applications under SSO control. In addition, as Westinghouse is making greater use of virtualisation, Woodriff said that once Imprivata introduces support for VMware at the end of the year, this will enable him to reduce the number of OneSign appliances from the current count of three.

Read more on Identity and access management products