I was viewing an episode in the Network+ show, wherein Wes Sir discusses Kerberos protocol. There he mentions it being allowing Single-Sign-On. I was wondering that wouldn't Single-Sign-On compromise anything from the security perspective? Like if someone gets access to your device, and Single-Sign-On is enabled, what is the use of Kerberos protocol then? I understand it provides convenience but then is this trade-off acceptable?
Doubt in Single Sign On
@Atharva-Bet ,another great question, Kerberos in Active directory allows SSO authentication for all members of that Active Directory domain by issuing a ticket-granting ticket(TGT) after the user types in their username/password. Once the initial logon to the domain is complete, Kerberos uses the TGT and Service Tickets (handled by the domain controller) that are presented on the user's behalf, instead of requiring a second authentication process (username/password). There are more steps but this beyond the scope of the Network+ exam.
On the next point, once a user has an active login session and the device is stolen almost all security implementations are null and void, not just SSO. This would be no different say if you were logged into your smartphone in an active session and you have implemented MFA such as a PIN and fingerprint biometrics, the logon process is complete. The attacker does not need to know your password or have a copy of your fingerprint, the system is already logged in. This is why administrators implement screensaver timeouts and locks, mobile device screen locks when an authenticated session is idle. This reduces the likelihood of a successful exploit of an authenticated session.