It’s no secret that in the tech world we want things to be as simple and easy as possible. Perhaps one of the more notable examples of this is the single sign-on (SSO) solution. Simple, however, doesn’t always mean secure.
SSO is a user authentication tool that verifies a user at the start of their web or app session. They will stay authenticated throughout this session, without the need to re-enter their credentials or confirm their identity at any point. SSO was designed to improve the user experience by reducing fatigue and improving productivity. Users no longer have to remember different complex credentials for each of their accounts.
The problem is, as soon as a new cybersecurity tool hits the market, scores of hackers will look for ways to bypass its security and exploit its vulnerabilities. SSO is no exception. Despite SSOs ability to improve productivity, user experience, and satisfaction, SSO is not without security risks. These should be properly considered before you decide to invest in SSO for your organization.
How Does Single Sign On Work?
Before we get into the security risks of SSO, it helps to understand how SSO actually works.
SSO is comes under the umbrella of federated identity management (FIM). It works by making an “arrangement” between numerous domains that leverage a third-party service that takes care of the actual authorization process. Within this system, there is an open authorization framework that allows for user information to be shared between domains. This will be managed by a third-party service that conceals and protects user information and credentials.
When a user tries to access a new application, the relevant server will receive a token containing specific information about the user’s account. The SSO solution will check these tokens to confirm (with the SSO policy server) that the user is who they say they are. If this token swap or confirmation cannot be completed, the server will prompt the user for additional verification or ask them to re-enter their credentials.
In order to access an SSO account, a user’s login will be verified by an SSO provider – these include organizations like Okta and Auth0. This provider will then use public-key cryptography to create a certificate that proves a user is genuine. This certificate can be securely shared with accounts to allow user access, without the need to sign in again.
The Security Risks Of Using Single Sign-On
Despite being the number one way we confirm our identity, passwords really aren’t as secure as we’d hope. They can be breached in a brute force attack, or simply guessed if they are not strong enough. This vulnerability is what leads to them being the biggest targets threat actors chase after. Passwords and accompanying usernames are frequently up for sale on the dark web. Threat actors will go to great lengths to get their hands on passwords and credentials – these include physical efforts such as infiltrating and stealing physical data from organizations, to creating malware that will harvest credentials from browser caches.
Because the attitude and general hygiene around passwords is frequently poor, credentials are some of the weakest entry points into a network. End-users tend to favor short, easy-to-remember passwords (which, coincidentally, are often easy to guess). This is despite prompts to choose more complex and long passwords.
Attitudes to storing passwords can also be lax, with users storing passwords on other devices in unprotected files or on slips of paper under their desk. Users’ credentials are also vulnerable to phishing attacks, which can in turn cause their credentials to be stolen. Some of these attacks prompt the target to enter their details onto a spoofed harvesting site.
The biggest security risk to consider with SSO is that there are only one set of credentials to compromise. If an attacker is granted access to your SSO account, they will have access to all of your authorized accounts. From there, the threat actor will be able to instigate attacks on the network, make lateral moves to users higher up the food chain, find network vulnerabilities, initiate ransomware attacks, steal data and information, and more.
Even though good password hygiene is strongly encouraged in every office, this doesn’t mean that the users will take heed and use appropriate passwords for their accounts. While users will use one set of login credentials to access their SSO account, there is no way of ensuring that this password isn’t shared or doesn’t match a previously used password.
Mitigating Risk For Single Sign-On
Despite the risks, it’s not all doom and gloom. SSO is an effective tool for enforcing identity, provided that you practice good hygiene, and take preventative measures. Beyond improving the user experience, SSO is effective as it reduces attack surface area through only requiring one strong password.
This is a double-edged sword. A reduced attack surface area means that there is only one point that needs to be breached. If a user’s credentials become compromised, the successful threat actor has access to all the accounts that the compromised useris authorized to access. Here are several ways to improve your security posture with SSO, and one SSO alternative.
As the name might imply, MFA and 2FA require users to verify their identity through the use of two, or more, authentication factors. Rather than enforcing any of its own security methods, MFA utilizes other apps or services to verify identity.
To read more about how MFA works, check out our article below.
How Does Multi-Factor Authentication (MFA) Work?
There are a range of ways to verify identity with MFA and 2FA – these fall into three categories:
- Something you know: This form of authentication usually refers to a question that only the user will know the answer to. You have probably seen “what was the street you grew up on” or “what is the name of your favorite elementary school teacher” before. While the questions tend to err on the side of more niche and personal, in an age with heightened levels of social media, these answers are not as private as we would expect.
- Something you have: This usually comes down to either an app installed on a trusted device or a one-time passcode (OTP) sent via email or SMS. Extra authentication methods may or may not be applied to the token or device they use to authenticate. For example, before opening the passcode app on your device, the app might require a face scan to proceed.
- Something you are: This authentication method is biometric based and is one of the strongest form facts. Users need to provide a face or fingerprint scan to verify identity, often performed through a cellular device.
For a list of the top MFA solutions, you can read our article here:
The Top 11 Multi-Factor Authentication (MFA) Solutions For Business
Security Awareness Training
Security awareness training (SAT) is used to educate your users on the dangers of cybersecurity and what they can do to maintain overall good network and security hygiene. Training usually centers around instances of risks, and how users can mitigate these. Common topics covered in SAT schemes include:
- Spotting phishing emails
- Maintain good password hygiene
- How to maintain good cybersecurity in the physical sense as well (such as ensuring laptops and devices are safely stored and critical information out of harm’s way).
SAT can be beneficial when implementing SSO as it highlights to your users why it is important that they use good password hygiene. Users will consider how to choose the right password, how to look after your passwords, and more–all with the intention to make sure that these credentials don’t become at risk of being compromised and leveraged for attacks. For more information on finding the right solution, read our article here:
How To Choose A Security Awareness Training Solution
Once you know what you’re looking for, and have decided how an SAT solution will help your organization, find out about The Top 10 SAT Solutions For Business.
Web Content And URL Filtering
With SSO, there is the risk that credentials and users can become compromised when traversing the web. There’s plenty to be wary of – from webpages embedded with malware, to phishing scams, and attacks that harvest saved credential information from browser caches – it’s important that users remain vigilant while online.
For more on web content filtering and how it works, read on with our blog here:
What Is Web Content And URL Filtering?
To make it easier for users to stay safe while browsing the web, your organization should use web content and URL filtering tools. These services scan all web content and URLs to decide whether the website, page, or embedded content is harmful. If this is the case, it can be blocked before your user has a chance to access it. These tools are effective at preventing malware and ransomware from being deployed on your network or company device. They also reduce the chance of from phishing scams affecting you and can block harvesting attacks that steal your credentials and information for further, often more devastating, attacks.
The Top 7 Web Content Filtering Solutions For Business are listed on our article, here.
Password Managers As An Alternative
Password managers are encrypted vaults that store all of your users’ passwords for safekeeping. This encrypted vault will protect all credentials and supply them to your users when they need to log in to a site or application. Password managers often work by requiring the user to login with a master password – this is the only one they need to remember. The user’s details can be auto-filled on trusted pages with one click.
This ensures that users’ accounts are kept separate from each other, whilst making the login process simple. No third-party has access to the stored password, ensuring that your accounts are safe. Password managers also encourage good password hygiene as users can create complex and unpredictable passwords, without needing to remember any of them.
Most password managers will suggest and autofill complex passwords, removing the need for users to think up ones themselves. There are more benefits to password managers than just password management. They can also help to detect fake websites, notify users when they’ve reused passwords across more than one account, and can alert admins and users when their credentials have been spotted in a breach.
To read up on The Top 10 Password Managers For Business, read our article here.
While SSO solutions presents an excellent way to ease the frustration and fatigue of remembering complex passwords when signing in, like any cybersecurity tool, it is not without risk.
For organizations looking to implement SSO, you need to ensure that you are practicing good security hygiene at all times. If you become complacent and expect SSO to automatically keep you safe, you’ll run into trouble. Through use of MFA, password managers and other good practices, you can ensure SSO is a net benefit to your organization. It can improve efficiency, whilst cutting the amount of information employees have to remember.