Any login must be secure, that much is clear. However, having to constantly enter credentials and remember complex passwords is annoying and can impact the user experience negatively. This is a problem that occurs frequently, especially outside of corporate networks.
The solution can be found in the use of single sign-on. With single sign-on, users can access authorized accounts and applications after a one-time authentication without having to log in again each time. At least in the case of iOS devices. There, the use of the single sign-on option is effortlessly possible. Android users with devices managed using Android Enterprise, on the other hand, often have to do without the convenience due to a lack of Kerberos support. This doesn’t necessarily have to be the case. Let us demonstrate how to provide easy access to relevant resources even on Android Enterprise devices and how to change and reset a password from mobile devices, thanks to EBF’s new partnership with Hypergate.
Solving the conflict between security and convenience
When it comes to choosing credentials, there’s a balancing act to be made between security and ease of use: On the one hand, passwords must be secure – that is, complex and unique for each account and they must be updated regularly. On the other hand, users must be able to easily remember the credentials – which is made difficult with complex passwords, especially in large numbers.
Single sign-on provides the perfect solution for this: After a one-time authentication, users are given direct access to shared resources in all following attempts to access them via an authorized device. Eliminating the need to enter a username and password. The user’s identity is confirmed via the single sign-on platform.
This significantly increases usability, reduces the burden on IT by reducing password reset requests, and prevents users from resorting to using easy to remember or even identical passwords out of convenience. Besides, in the event of a hacker attack or if the employee leaves the company, data can be protected effortlessly. Because it’s also possible to perform a single sign-out, disconnecting the user from all connected resources at once.
Kerberos – a challenge for Android devices
To manage their users, many companies utilize Active Directory, leveraging the standard Kerberos protocol for authentication. Kerberos is considered a secure industry standard and does not require any passwords to be transmitted. Instead, it uses tickets, generated and processed in Active Directory: If a user wants to log on to an application, a ticket is used to check whether the user is allowed access. If so, the user can seamlessly access the application.
The catch: Kerberos is supported by iOS, but since the introduction of Android Enterprise, it is no longer supported by Android. If the IT department wants to enable single sign-on access on Android Enterprise devices as well, this requires a third-party app. And unfortunately, this is not uncommon. After all, Kerberos is used in many applications that are essential for our everyday work. If single sign-on is not applicable there, user satisfaction decreases while the effort for IT increases. Because a cross-device approach to authentication is not feasible.
Kerberos
Regular password resets - annoying but important
Another problem when working remotely: In almost every company, employees have to change their passwords several times a year, taking into account requirements for complexity and restrictions on the reuse of previously used passwords. However, employees usually need a Windows computer to do this. For employees who are on the road a lot, this is a problem. It would therefore be much easier if the password change could also be solved on mobile devices.
In addition, multiple password changes, where complexity requirements and password history have to be taken into account, lead to another problem: employees find it harder to remember passwords and tend to forget them. Then a special and expensive process often has to be initiated. It involves assigning a new initial password, which then has to be changed again. It would be better if users could set their own new passwords – in compliance with all requirements. The effort for support would be significantly reduced.
This is where Hypergate comes in to play
Our newest partner Hypergate’s solution fills both gaps: The Hypergate Authenticator makes it possible to use the standard Kerberos protocol and thus to enable single sign-on, even on Android enterprise devices. Moreover, password changes and, more importantly, password resets can also be implemented using the solution. Done by the employee, using a mobile device – easy and cost-saving.
Hypergate is easily configured, implemented, and deployed: In the backend, the applications and users for which single sign-on is offered can be defined, as can the underlying policies and whether this is to be done based on username and password or certificate-based. Password resets and single sign-outs are also easily possible. The solution is compatible with all leading Unified Endpoint Management systems and it can be rolled out to all employees via an app.
Hypergate gives organizations the ability to apply a holistic strategy to their devices, giving both Android and iOS device-based employees equal access to relevant applications while maintaining full control.
Find out more about Hypergate here or feel free to reach out to us.