Q: To make life less complicated for our end-users, we’re considering implementing a Single Sign-On System (SSO) in our GxP environment. Under the system, a Windows user name and password is required only at workstation log-in. Once the user logs in, he or she doesn’t need to re-enter a user name or password for any GxP application. The application simply opens and has a strong audit trail to capture what it needs.
Among the “pros” of the Single Sign-On System, it’s less likely users will leave Post-It Notes with passwords under monitors and keyboards. It also forces stronger security at the domain level, since the system administrator still must meet regulatory requirements for password aging, system lock-out, etc.
But I understand a “con” of the system is it might introduce higher security risks when workstations are shared. What do you think FDA’s position would be — including using the Single Sign-On System for electronic signatures?
A: As long as SSO is used to authenticate the individual and grant correct privileges to that individual, I have no problem with a Single Sign-On System. But in the end, your users still must protect their workstation security as well as their passwords.
[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]For multiple-user computers, FDA has seen too many users forget to log-out, and the next person just continues to use the system.[/pullquote]
Your users must have the discipline and additional controls to lock their workstations when left unattended. For multiple-user computers, FDA has seen too many users forget to log-out, and the next person just continues to use the system (even when he or she has to unlock the screen saver).
If you’re using electronic signatures with the single use system, for the first electronic signing, you should re-enter the user name and password as your electronic signature. FDA allows you to have the same user name and password for log-in and for your electronic signature. The Preamble (Background) to the Part 11 Final Rule says that if you have sufficient controls, the log-in can be the first part of the signature. But what if two or more users — each with different user names — have the same password? The combination may be unique, but the password is not.
So if the Single Sign-On System makes everyone have a unique password plus a unique user name, then I would agree that once you sign on — SSO or not — only the password is needed for the first signing.
Answered by Jan Olson, EduQuest Vice President of Regulatory and Quality Services (22 years as an expert FDA investigator and office director) and lead instructor of EduQuest’s FDA Auditing of Computerized Systems and Part 11/Annex 11 training class.