My father is an aircraft pilot and in order to see the monthly work plan he has to log into the airline’s system for pilots. Anyways.
The thing is he has to log in 3 times before viewing the page. The same username and the password. What is the meaning of this? I’m sure it’s an security thing but I want to understand what kind of threat this security system protects the data against?
Please let me know if my question is unclear.
The system I work on use to be like that. You’d have to log into the network then log into each sub-system as you needed. Most had the same username; however, you were ‘suppose’ to use different passwords. Yea right.
Now we have single sign-on when a user has a Common Access Card (CAC) that looks like a fancy credit card which you slip into a slow on the keyboard. At the most, you may have to re-enter your PIN (4 to 8 characters which shouldn’t ever need to change) if you haven’t entered it lately.
My guess is that the first time is to log into the VPN, the second time is the log in to whatever application hosts the monthly work plans, and the third time is to view the specific work plan he has selected.
Of course this is a huge guess without being able to see the application in question. (It is, however, similar to what I have to do: Log into the encryption software on my computer --> log into windows --> log into the VPN --> Log into Citrix --> Log into TFS --> Work on code)
This may be three separate accounts, that he has set up with the same username and password.
The site could just be broken. This very forum was doing that to me a couple weeks ago when the DB was having issues.
This board was doing it to me too but I think the others have it right in this case. The father in OP is probably logging onto three different systems that he (or the system administrators) have given the same user name and passwords. Each one is a different security layer that require separate authentication. I have to do that in many various forms at work too. The first is to get access to the VPN, then the server, then the specific application. There can be others as well depending on what I am working on. Some have the same user name and passwords but they don’t have to.
There are ways to streamline this for users by using a global single-sign that looks up the rest of their credentials and passes it on to whatever security layer requests but those initiatives are more costly than you would ever guess at an enterprise level and they introduce security risks (it can be like a skeleton key to everything if there is a security breach). I can see why an airline wouldn’t want go through the expense of rolling out one of those just for rather trivial convenience especially if it weakens the security model already in place.
This is a common problem, even in internal in-house networks, where you have to work your way though a bunch of layers of network components to get to the actual application you want.
Some new systems have attempted a more integrated approach, where you have some kind of central database of system resources (printers, databases, file systems, whatever), and a central table of users and their passwords to access various things.
In particular, Microsoft Windows Server has a system called “Active Directory” that handles a lot of this, and supposedly simplifies things tremendously – for the system administrators and users alike. But it takes a least two semesters of formal classroom study (or equivalent) just to scratch the surface.
I know that because I recently took those two semesters. First, a semester of “Windows Server Administration”, and then a semester more narrowly focused on “Windows Active Directory Administration”. In both classes, we only got about two-thirds of the way through their respective textbooks.
Active Directory is based, at least in large part, on Open standards, such as the Lightweight Directory Access Protocol or LDAP, among other standards. See also here for a technical document – note this is a Mozilla site, proving that this standard doesn’t belong only to Microsoft.
I went a bit farther than most others in my classes – Having a Linux machine as well as a virtual Windows Server machine (that ran in the Linux machine) AND a nearby Windows XP machine, I got them all working together, so that they could all read and write files in each other’s directories, and an Apache web server in the Linux machine that the two Winders machines could use, etc. – For a rank beginner like me at this stuff, this was all impressive, if I don’t say so myself.
Active directory AD does provide a way to have one username and password (and all other details ) for all the different systems, eg if you are disabled at AD then you are disabled everywhere.
But AD does not provide a way for any program to let you login ONCE.
That would be more to do with Windows OS… “Domain login”, which could allow IIS sites to be Single sign on - SSO’d.
eg Oracle provides apache /weblogic filter for websites, to allow SSO . you might see oracle, weblogic, sso clues on government and big business websites. Australian government is big on oracle SSO at the moment.
The systems do not all need to be isolated - they could all be authenticating to the same underlying system (using LDAP), but the individual front ends do not support passthrough SSO authentication.
This is a common situation where third party systems (web browser based tools etc) can use AD for backend authentication but do not include the deep AD integration to support Single Sign On. It can be highly frustrating, but it can be a difficult problem to solve.
It could also just be a security system written by an idiot. I’ve never seen three times, but I have seen sites that make you give your credentials (for the exact same account) twice in a row “for added security”.