How Secure Is Single Sign-On (SSO) For Businesses?
Single Sign-On (SSO) makes it easy for your employees to access all of their applications without once having to input a password – but how secure is it really?
What Is Single Sign-On?
Single sign-on (SSO) is an identity management solution that allows users to access multiple accounts by signing in with just one set of credentials.
This makes life easier for users who no longer have to remember multiple passwords and also gives admins one centralized way to manage all accounts and govern which users have access to them.
Forms of SSO have been popular in the consumer market for a while now. Many users will be used to linking their Microsoft, Google or Apple account to a range of other applications and websites so that, rather than having to create multiple accounts, they only need to remember and manage a handful of important credentials.
Single sign-on in the business world is slightly more complex, but is also becoming a widespread practice as organizations look for new ways to govern access to important corporate accounts. SSO providers essentially assign each user a token, which when verified by signing into one account, allows them to access all connected corporate devices without needing to login again.
How Does Single Sign-On Work?
As Steve Jobs also said, “Simple can be harder than complex.” Sometimes it’s the most simple and easy to use systems that often have the most complex technologies and deployments behind them, and single sign-on is no exception.
In the interest of trying to keep things simple, here’s the short version:
Normally, when you log in to an application, it will attempt to verify your identity before giving you access. Usually this means you have to provide an email address, password, and sometimes an SMS or an email verification code.
You are then assigned a piece of tracking code, which follows you around the web for the rest of your session, and ensures you don’t need to keep logging into the same website multiple times a day. Once the session ends, you’ll lose that code and have to log in again to gain access.
Single sign-on solutions use that same general process to achieve a slightly different result.
When SSO is deployed and you go to a connected application, it will no longer ask you to sign in with a username or password. Instead, it will send the SSO provider a bit of information about you, and ask it to verify you are who you say you are.
If the SSO provider sees you are verified, you will automatically get access to the application. If you aren’t verified with the SSO provider you will be taken to their login page, where you will be asked for a username, password, and usually some other form of verification.
Like with the usual account sign-in process, this assigns you a piece of tracking code, but instead of keeping you signed into just that one application, every connected app and website you visit will recognise you have been verified, and keep you signed in.
How Secure Is Single Sign-On?
The productivity benefits of single sign-on are obvious. Users no longer have to spend time managing all of their accounts, they don’t have to go to IT when they lose a password, and the user experience overall is much more seamless.
The security benefits of SSO might seem a bit murkier though. Does it not just create one single point of attack for a hacker to breach and access all of your systems? What if the SSO provider is hacked, will that not put all of your accounts at risk?
Well, there are some pros and cons to single sign-on in terms of security, but overall, implementing a high quality SSO service can greatly improve the security of your organization. Here’s why:
Managing Passwords
The first security benefit is that users no longer have to manage all of their passwords. Password compromise is responsible for over 80% of data breaches, which is usually caused by end users choosing passwords that are easy to remember, or reusing the same passwords across multiple accounts.
Single sign-on helps to prevent password compromise because employees no longer have to manage each account that they’re accessing. Instead of needing to remember dozens of passwords, employees just have to remember one. In addition, IT teams can enforce secure password policies that mean the one password they do have to remember meets certain complexity standards.
It is true that if your main SSO password is compromised it can lead to other accounts being compromised too, if there are no other security controls on the account. For this reason, we would recommend ensuring that you enforce extra-strong passwords and implement additional security controls. Bringing us onto the next point…
Multi-Factor Authentication
One major security benefit of single sign-on is that you can enforce multi-factor authentication across all of your accounts easily, and with no added hassle for the end user. This helps to prevent data breaches even if the attacker has your SSO account password, as they would also need the user’s second factor to prove identity, such as a fingerprint scan or SMS message to a smart device.
The best SSO providers enforce adaptive multi-factor or two-factor authentication. Adaptive systems are able to learn your usual behavioural habits, and only kick in when they identify a problem. For example, when you access your accounts on your work PC on a weekday as you do every week, you will be allowed access with no extra steps. But if a login was detected from another country, in the middle of the night, the system would flag a potential breach and ask for extra methods of verification.
This helps to prevent unauthorized account access, without giving the user the added burden of verifying their identity with an extra step every time they log into an account.
Vendor Security
Most single sign-on vendors have excellent security systems in place, but it’s important that you research solutions and ensure you go with a respected service with a strong security record.
One of the potential weaknesses of SSO is that, if you do choose a weak solution that is compromised or goes down, you could lose access to connected accounts for periods of time. Any of the vendor’s vulnerabilities will also become your vulnerabilities.
However, most of the best SSO vendors have highly secure services based on compliance regulations and industry standards. Many will also never store any information like account passwords or master keys on their systems so, even in the event of the vendor being compromised, your own accounts will remain protected.
But it is still important that you research vendors and compare security white papers to ensure that the service you decide to deploy is protected against outages, data breaches and other cybersecurity risks.
It’s also important that whichever vendor you choose makes clear they have policies not to share any client data with third parties.
Account Sharing
One of the major security risks within businesses is sharing our passwords with others in the team. This is often unavoidable, especially in small businesses where one premium account may need to be shared between multiple users.
However, this can pose a security risk, especially when passwords are shared through insecure methods, like via email or on a spreadsheet. These passwords can be easily compromised or lost, and give your admins no way of tracing where account passwords have been shared.
You may be thinking that SSO presents a problem for account sharing; how can you share passwords when access is tied to an individual SSO account? Well, the leading SSO vendors have anticipated this problem and found a solution that allows accounts to be shared securely, while giving admins more control over access.
Vendors like OKTA allow admins to assign the same username and password across multiple applications, meaning that verified users can all access the same account with their SSO credentials. This means that users no longer have to share passwords in unsecure ways, and admins can have greater control over which users have access to which accounts.
Admin Policies and Reports
Single sign-on solutions also provide a range of policies and reports into account access that can be a real benefit for security teams. Having a birds-eye view of all your accounts and how users are interacting with them can give you an opportunity to review security policies and tighten controls to prevent data breaches.
For example, you could limit the users that have access to financial accounts, and ensure investigation into any suspicious activity and app usage that flags up. In addition, many solutions will allow you to view the password health of individual accounts, and track MFA usage to ensure employees are using safer account processes.
In most cases, admin controls are delivered in a cloud-based admin console, allowing you to limit user controls, create SSO groups and check the security of the devices users are using to connect to corporate accounts. Reports will also be delivered in these consoles, as well as via email, to ensure admins get the visibility they need into account activity.
Reduced Help Desk Workload
One important security benefit of single sign-on is that it reduces your help desk workload. At first glance, this may not seem like it will benefit security, but freeing IT teams from having to deal with password resets and account compromise attempts gives them more time to focus on other important security concerns – while being safe in the knowledge users are protected from identity threats.
Of course, this again relies on the single sign-on vendor you decide to invest in. Some vendors, like LastPass and Okta, have focussed on building integrations with hundreds of applications to make deploying the service as easy as possible for all of your different accounts. Others will have more complex deployment processes that can take more time.
It’s important to research solutions and ensure that whichever service you choose has a focus on ease of deployment and integrations. This reduces the time it will take to roll out the service to your users, and also means you’re unlikely to see many ongoing problems with the service, freeing up more IT resources to work on other important issues.
Getting Started With Single Sign-On
Single sign-on provides some great security benefits for businesses when it comes to securing accounts and improving identity management. Removing our reliance on insecure passwords, implementing MFA, giving admins more control and freeing up IT resources can all help to secure businesses.
There are some security challenges that single sign-on can present too of course. It’s can be a single point of failure for attacks if proper protections like MFA are not put in place. It’s also important that the service you choose has strong security controls, as well as being easy to manage and deploy.
But overall, it’s clear that SSO provides a strong layer of protection for users, while making it much easier to access accounts and increase productivity. The security challenges it can pose are not insurmountable with proper security controls in place, and many are solved when using a high-quality single sign-on solution.
To help you identify the best single sign-on solution for your organization, we’ve put together a guide to the top SSO solutions for businesses. We’ve compared features, pricing and customer reviews to help you make the right purchasing decision. You can read our guide to the Top 10 Single Sign-On solutions for business here.