Business Use of Cloud Password Managers

Password managers, password vaults, single sign-on—they’re all terms you’ve probably heard as a way to create and manage secure passwords using identity and access management technologies. But what are they and how do they differ?

Password managers and password vaults are just two terms for the same kind of product. These products are secure storage systems that encrypt and store user passwords for different websites or apps. Usually, an employee logs into the password manager with one password and then can access all the passwords they’ve created for their work apps and websites.

Modern password managers do more than this, though. Most will generate strong, random passwords for the employee to use on websites or apps. And most now offer browser extensions that will fetch the credentials for the site the user is logging into, populating the login dialog to make it easier to login without having to remember all those passwords.

Single sign-on (SSO) is a different technology that lets users securely authenticate to websites and apps by logging in just once a day with one password. After that, the user is automatically logged into any work app or site without having to re-enter credentials.

SSO doesn’t rely on looking up the user’s password in a database. Instead, it relies on standards like SAML or OpenID Connect to log in using trust relationships. That means the third-party site (an app or website) trusts the SSO tool to verify that the user is who he or she says she is.

Most password managers these days are cloud-based. Of course, you can use a password manager that stores the database on the employee’s local machine, but that makes it hard to access passwords when the employee logs into a website from their phone or a different machine. That said, many password managers require that you install browser extensions or mobile apps in order to have access from every device and browser. A cloud-based password manager also helps ensure you don’t lose your passwords if there is an event on a server or machine.

For individuals trying to keep their personal passwords secure, a cloud password manager makes sense. It’s better than a spreadsheet or using the same password for every site (which is the most common tactic).

When you’re looking for a solution to password challenges for your business, though, a cloud password manager may not be best. Password managers for businesses often store all the organization’s users’ passwords in one database. The password manager then just becomes another attack surface for hackers. That makes the recent news from ISE even more alarming. It showed that some major password managers expose user credentials in memory, even in a locked state. The master password for the password manager may even be exposed.

One way to add to the security of password vaults or managers is to require multi-factor authentication (MFA). This ensures that cybercriminals who gain an account’s username and password still can’t log in. Unfortunately, not all password managers support MFA or support it in a seamless fashion.

And password managers just don’t provide the level of security that single sign-on (SSO) does. They don’t let you manage role or location-based access rights within an application. They don’t let you refine access by, for instance, restricting access to confidential data or requiring more frequent authentication for apps with confidential access. They don’t let you implement smart authentication, such as restricting access to some apps or sites when users are logging in from locations deemed less secure.

Unlike SSO, most password managers don’t synchronize with your cloud directory or your Active Directory system for role-based access to provide a seamless experience for IT and users. They also usually don’t provide the fine-grained control and auditing functionality that many standards require for compliance. SSO, on the other hand, lets you see who has logged in and where they’ve logged in from, even down to the IP.

Lastly, most cloud password managers only work on websites and web apps. They don’t enable easy login on the desktop or on-prem applications. SSO tools, using LDAP and products like OneLogin Desktop, can give employees a single login experience that works the same across all their applications and devices. The result is greater employee satisfaction and productivity.

Cloud password managers supplemented by MFA are a good first start for smaller businesses that aren’t ready to invest in single sign-on. But rapidly growing businesses and mid-size to larger companies will find they outgrow their cloud password manager quickly and need to look at more robust single sign-on tools to meet their evolving security and ease-of-use requirements.