We are hoping that we can convince everyone that pushing Enterprise passwords into the cloud is a bad idea and in our opinion is certainly not a security ‘best practice’
I agree. Definitely not a best practice but since when has best practice ever had anything to do with they way software is developed? Entropy is in charge out there and whatever is the easiest way to do something will, in many (most?) cases, result in the easiest route through the compiler. Syncing passwords versus using a claims-based model is simply bound to happen. Hmmm, doesn't Microsoft's own BPOS require a separate, non-claims-based, password for access? Yes, I realize they are fixing that in BPOS next but just the same some kind of business necessity pushed them to throw claims to the wayside. Why doesn’t ADP or Fidelity require access to occur versus claims? Why doesn’t my company (Quest Software) want to use claims to access these services for their employees? Entropy, plain and simple – it’s “easier”.
I suspect that there will be claims-based and non-claims-based methods of accessing cloud apps – unfortunately. Either way, I sure hope that companies consider stronger authentication (two-factor, one-time password, etc.) to protect those claims and passwords!