Single sign-on (SSO) is a security tool that is part of a wider subset of identity and access management (IAM) solutions. It is a streamlined and straightforward form of user authentication, that lets users login to their company networks with a single set of login credentials. This grants them access to multiple applications in one.
Users will login with a singular set of credentials to a “home domain” using a “master password”. This is, essentially, a gateway application that will grant a user access to the rest of their network. After users enter their credentials, they will be able to navigate from application to application during their current session, without having to re-enter their credentials at any point.
How Does Single Sign-On Work?
To truly appreciate what SSO has to offer, it’s important to understand how it actually functions, and how it can benefit your business.
When a user logs onto their company network at the start of their working day, they will head to their main login portal (or home domain) and login. This marks the beginning of the user’s session. During this session they will be able to navigate their network without having to enter credentials for individual applications, unless the SSO solution cannot verify the user’s identity.
In order for this seamless transition to be achieved, an in-depth verification process has to happen in the background.
SSO is a subset of federated identity management (FIM). It’s this federated identity management system that allows for the automatic verification and approval of users as they navigate their network. FIM is made up of a variety of trust domains–theses include applications and webpages on the company network, as well as apps and tools used daily. It’s important that users have different accounts and passwords, for each domain, to ensure accounts are secure.
While these domains are usually owned and operate separately, they will be connected together by the third-party service (i.e., the FIM system). This third-party service, often referred to as an identity provider, will store the users’ login credentials and accounts for future verification.
FIM is the framework in which the SSO verification process operates. It uses verification tokens to manage logins and ensure identity is verified. FIM uses the open authorization (OAuth) protocol – this enables user information to be used by third-party services whilst keeping information secure throughout its journey. OAuth gives identity providers access tokens that contain uses a small amount of personal information to verify identity, and allow login. After the token has been confirmed with the new domain, the user can be granted access.
SSO is an efficient and effective solution that can, at times, be complex and delicate. For more information on how these tools operate, and how SSO is achieved in detail, check out our blog here:
The Benefits Of Single Sign-On
Now that we’ve laid out what SSO does and how the process works, let’s explore the benefits.
While it might seem like a tool that just simplifies sign-in, there are a wealth of other reasons SSO is a worthwhile solution investing in.
Enhanced Security
Of the biggest vulnerabilities that your company has, password management sits alongside email phishing and network vulnerabilities. In other words, password (mis)management could put your organization in a tricky position. Passwords are the number one route for hackers to gain access to your organization, with Verizon reporting that 81% of all hacking related breaches began with a stolen or weak password. It’s a terrifying statistic that reveals just how important password hygiene and security really are.
Password hygiene refers to a series of best practices that ensure that users’ passwords, and other credentials, are secure and not easily compromised. 24% of Americans still use weak passwords to this day, such as ‘Qwerty’, ‘12345’, and ‘password’ (‘password1’ if they’ve had to reset their password). Although passwords are seen as personal, private information, poor password hygiene can have a detrimental effect on your company’s overall cybersecurity health. Encouraging the use of strong, complex passwords (that are different for each application) is absolutely crucial to ensuring a single compromised password doesn’t become a gateway to a huge data breach.
The problem is that having a separate password for every login results in a lot of complex passwords to remember. Having an effective SSO solution reduces the information that your user’s need to remember. This allows them to use more complex and therefore, more effective, passwords.
In practice, users can create a range of long, unpredictable, and individual passwords for each account, only having to remember the set of credentials to login to their home domain.
Having a single, secure password to remember reduces the temptation for passwords reuse, or the use of weak “memorable” passwords across multiple accounts. It also reduces the attack surface area – as there is only one “gateway” (home domain credentials), provided that this is secure, it can be very hard for an attacker to gain access. There aren’t lots of accounts with weak protection that could allow an attacker lateral movement once an account is breached.
Keeps Credential Information Secure
Login credentials, tokens, and any data about users that is needed for authentication is usually kept safe and locked by the Single Sign-On provider. Tokens are saved in the central SSO server, rather than locally (within the application). This ensures that it can be protected with a high level of encryption. This means that the applications cannot cache sensitive login data, meaning it stays safe from harvest-types of malware.
Lowers IT Costs
Another benefit of implementing an SSO solution is that it greatly reduces the number of help desk calls. For many organizations, password resets will have to be completed through the IT department to ensure the password reset is not fraudulent. Having an SSO solution that removes the need for your users to remember so many passwords, reduces the amount of time spent having to deal with password reset requests. Increasingly, SSO solutions are allowing users to set their own passwords (both master password and for individual accounts), meaning that in the rare case they do need to reset it, they can do it themselves with no IT involvement required.
Provisioning And Deprovisioning
In computing, user provisioning describes the process of creating, updating, and deleting user accounts in a network’s applications and systems. Deprovisioning serves as the opposite of this – the act of removing user access to applications and systems and any associated data. In addition to applications, provisioning and deprovisioning can include any associated information, such as group memberships, groups, and user entitlements.
Having SSO implemented can save the admin team time on provisioning and deprovisioning. As it comes under the umbrella of IAM, SSO is an important part of the provisioning process. Through SSO, admins can create policies that are defined by user, user roles, or device, device location, groupings, titles, and much more. Provisioning (and deprovisioning) can quickly be done through a SSO solution, with admins able to update users across multiple applications in one go, rather than the time, and labour, intensive job of updating details in each application.
Enhance User Identity Security
Through the inclusion of multi-factor authentication (MFA), the, already reduced, attack surface can be further secured. This builds upon way that SSO contains network access to one point of entry with a single set of credentials. By ensuring this gateway is as secure as possible, you can protect all your accounts at once. MFA uses at least two different authentication methods to verify your identity. The use of MFA or two-factor (2FA) authentication tools can greatly enhance security by restricting attack vectors in your network through SSO, then recording authentication through MFA and 2FA.
Interested? Check out our buyer’s guide on some of the best multi-factor authentication solutions on the market:
The Top 11 Multi-Factor Authentication (MFA) Solutions For Business
Productivity And Speed
Having a large number of passwords to enter, re-enter, and remember, takes a large chunk out of your users’ valuable time. Across a whole work week, this time adds up. If you can reduce the time it takes users to login and re-logging in, to remember and reset passwords, your users’ can spend more time focusing on the thing that really matters: their work.
Aside from generally increasing productivity, the increased speed of login is beneficial to time-critical job roles. For certain organizations and sectors, such as hospital and emergency services, fast data, file and application access can have a direct impact on outcomes and level of service provided. Having a streamlined login, that also safeguards against cybersecurity risks, can be crucial in these settings.
Enhances User Experience
Enhancing user experience is arguably the reason why single sign-on solutions were created in the first place.
Nowadays, individual users have an innumerable number of login credentials to remember, not just for work but for personal use as well. Trying to maintain excellent password hygiene for all these accounts is difficult, annoying, and time-consuming.
And so, this leads to password fatigue – a phenomenon where users are overwhelmed and exhausted with the sheer number of passwords they have to create, remember, and update, that they, effectively, give up. Password fatigue results in the overuse of a single password for multiple accounts or excess of simple passwords (like the infamous, aforementioned password: “password”).
Having an SSO solution mitigates password fatigue by reducing the human effort needed to secure your accounts. As users only have to remember the main password (master password) for their home domain, the password process is simplified as much as possible. A simplified login process results in happier, more satisfied users that can focus on being productive, rather than dealing with password fatigue and increased calls to the IT team for assistance.
Things To Bear In Mind
Despite all its benefits, there are some areas that need to be considered in relation to an Single Sign-On solution. SSO isn’t a perfect solution, and a few things need to be considered before making a purchase.
- SSO works best when strong passwords are used, meaning that good password hygiene must be enforced on your users from the get-go.
- In the event a hacker does breach your identity provider (through your master password), any linked networks will be vulnerable.
- As SSO provides overarching access, if the SSO application is down for whatever reason, you will lose access to all connected sites. This means that great care must go into choosing solutions that have proven little-to-no downtime.
- SSO has a considerable amount of implementation and configuration time – all existing passwords and accounts should be imported to the console to ensure your accounts are secured.
While SSO still has a great deal to offer organizations, it’s important to keep these points in mind, before investing in a solution.
Summary
There are a lot of benefits to implementing an SSO solution: network security can be enhanced, productivity improved and IT helpdesk time reduced. There are, however, drawbacks to having a SSO solution, too. Having one access for threat actors to compromise can become a huge security issue and shouldn’t be overlooked.
SSO is not a silver bullet solution, that much is true, but twinned with MFA and proper password hygiene, SSO can greatly enhance your login security across your entire network. This overarching benefit can outweigh the risks to your network, making it a tool not to be overlooked.
