USPS cuts password creep with single sign-on
- By William Jackson
- Aug 20, 2004
At an estimated $18 per trouble call, password resets were costing USPS $3 million to $4 million each year, USPS' Bob Otto says.
Henrik G. de Gyor
In a Postal Service help desk survey, forgotten passwords emerged as the No. 1 user problem.
A forgotten password is a minor inconvenience for an individual, but USPS has more than 150,000 users, each using a daily average of 10 applications that required passwords.
'Everyone during the course of the year forgot some of the passwords,' chief technology officer Bob Otto said. 'I was spending several million dollars a year doing password resets.'
At an estimated $18 per trouble call, the resets were costing USPS $3 million to $4 million each year.
Otto wanted a single sign-on product that could work with about 1,000 internal USPS applications and another 6,000 outside apps accessed regularly by employees.
'We have built hundreds of systems over the last 20 years,' Otto said. Applications for travel, budget and human resources were cobbled together with a variety of technologies, and 'every system has its own log-on ID and password,' he said.
Rewriting the applications to interface with a single sign-on product could cost $10 million or more and take years. Otto wanted to deploy something in a year without a significant investment.
USPS chose v-Go SSO from Passlogix Inc. of New York. Once a user signs in, a v-GO client agent handles the primary log-in and reauthentication for subsequent applications and other resources.
'The heavy lifting is done by the intelligent agent,' Passlogix president and CEO Marc Boroditsky said. An administrative console and server integrate with the corporate directory and access policies. A cryptographic engine certified to Federal Information Processing Standard 140-2 protects passwords and certificates handled by v-GO.
Microsoft Windows Active Directory and Systems Management Server push agents out to individual users. A staff of six deployed v-Go SSO for 147,000 users over eight months. There now are about 157,000 users.
Like about 70 percent of v-Go users, USPS employees initially enter their Windows log-in passwords. Their agents then recognize password activity in a range of applications, from mainframe to client-server and Web.The challenge
Designing an agent that could handle sign-ons for such a variety of software was far from easy, Boroditsky said. 'If we had accurately evaluated the challenge, we might not have been so willing to carry it out,' he said.
The agent automatically answers a password request in about a second, faster than the user could type it, so there is no delay in accessing resources. The agent also handles password changes, automatically supplying a random new password that satisfies policy whenever an old password expires. After a period of time, users need not remember a password to a particular app and might not even know it.
Passwords can be retrieved from the administrative console if a user needs them for remote access.
USPS has not disclosed what it paid for v-Go, but Boroditsky said it did not cost the full $69.95 per-seat list price.
Otto said the implementation 'paid off the investment in a couple of months.'
There is a security tradeoff when password policy changes, Otto said, but the net result is better security because users do not have to write down numerous passwords to remember them. The single password for the agent can be protected better, and all the other passwords administered by the agent are encrypted, he said.
William Jackson is freelance writer and the author of the CyberEye blog.