Infosec 2012 Cloudy crypto firm Ping Identity is pushing the benefits of using cloud-based technologies to reduce, and perhaps even eliminate, password headaches.

The firm is using the Infosec show to promote Ping One, launched in late March as a way of offering ID-as-a-service. Ping Identity is also talking up the potential for single sign-on in the clouds to sound the death knell for passwords.

Ping One allows firms to offer workers access to a range of cloud-based applications (Salesforce, Google Apps etc) through a portal or virtual desktop that they only need to sign into once, avoiding the need to remember sign-in credentials for the multiple different applications they need to use. Information on what application a user is entitled to log into is taken from one central user directory, such as Microsoft Active Directory. Federated SSO protocols such as SAML, OAuth, and OpenID are used to exchange tokens that allow users to access applications.

Roger Oberg, VP of marketing at Ping Identity, said that unlike other vaguely similar services, Ping One avoids to need to either store passwords or manage duplicate end-user accounts in the cloud.

Single sign-on (SSO) has been a holy grail for segments of the security industry for years. And vendors have offered up appliances and services, largely targeted at enterprises, to do just that for some years. The technology is designed to cut down on help-desk calls by workers who have forgotten their passwords and other similar costly distractions.

In practice, IT managers have told us that SSO offers a way to reduce the amount of passwords corporates are obliged to manage – but that it cannot achieve the one-password-to-rule-them-all goal the marketing hype around the technology promises to offer. Oberg acknowledged that reduced rather than "single| sign-on was often the end result of deployments because as "soon as you get on app that isn't anticipated" or one that lack SSO hooks, then users have to sign into it separately.

PingOne is being targeted towards SMEs, departments in larger firms and application providers. Developers can also subscribe to the service as a means to plug their technology into a cloud-based identity management service using its resource toolkit – without the heavy-duty security coding the process would otherwise involve, says Oberg. Other longer-standing services from Ping Identity, such as PingFederate, are targeted at large enterprises.

Ping Identity chiefly markets services designed to reduce the number of passwords enterprise users need to remember, so it has a vested interest in talking up the problem that multiple passwords can create. Unsurprisingly, Oberg is somewhat antagonistic towards password and user ID login credentials.

"Passwords are insecure and annoying," Oberg told El Reg. "They have to go," he added with all the passion of a pest eradicator eyeing a particularly long-standing cockroach infestation.

In place of passwords, Oberg favours multi-factor authentication using one-off four digit passcodes sent to mobile phones, as well as pattern-based authentication or biometrics (such as fingerprint readers). "Multi-factor authentication can reduce, if not eliminate, the number of passwords," he said. "We should be moving towards strongly authenticated non password-based identity," he added. ®

Log-in note

Oberg said one of Ping Identity's corporate clients had gone all the way and actually killed off password logins across its whole infrastructure. He hinted it was a high-security organisation but didn't say what it was, which market it operated in, or even whether it was in the private or public sector.

Related stories

• Symantec snaps up PasswordBank, touts SSO logins to biz (23 July 2013)

  https://www.theregister.com/2013/07/23/symantec_passwordbank_purchase/

• First Google wants to know all about you, now it wants a RING on your finger (21 January 2013)

  https://www.theregister.com/2013/01/21/google_password_alternative/

• Microsoft beefs up cloud login security in PhoneFactor gobble (5 October 2012)

  https://www.theregister.com/2012/10/05/ms_buys_phonefactor/

• Intel tries to wangle China crypto-standards deal (29 August 2012)

  https://www.theregister.com/2012/08/29/intel_tpm_tcm_interoperability/

• Open-source password keeper to get 'minor' weekend security fix (29 June 2012)

  https://www.theregister.com/2012/06/29/keepass_password_safe_security_update/

• Fujitsu cracks 278-digit crypto (19 June 2012)

  https://www.theregister.com/2012/06/19/fujitsu_encryption_cryptography_world_record/

• Trial finds eight ways to defeat Google, PayPal and other SSOs (20 March 2012)

  https://www.theregister.com/2012/03/20/sso_security_shortcomings/

• Brits guard Facebook passwords more than work logins – survey (23 February 2012)

  https://www.theregister.com/2012/02/23/password_survey/

• Mozilla pushes browser-based alternative to passwords (20 January 2012)

  https://www.theregister.com/2012/01/20/browserid/

• OpenID warns of 'psychic paper' authentication attack (9 May 2011)

  https://www.theregister.com/2011/05/09/openid_security_bug/

• Google opens up OAuth to tackle password chores (4 November 2009)

  https://www.theregister.com/2009/11/04/google_web_password_simplification/

• The many benefits of SSO (30 August 2005)

  https://www.theregister.com/2005/08/30/quocircas_changing_channels/

• Single Sign On 'in-a-box' lands in Europe (7 March 2005)

  https://www.theregister.com/2005/03/07/sso_imprivata/

• Web-based single sign-on sales shoot up (22 January 2003)

  https://www.theregister.com/2003/01/22/webbased_single_signon_sales_shoot/