SSO is fundamentally more secure than not having SSO in place because it significantly improves an organisation’s security posture in mitigating the risk of data breaches. With a Single Sign-On solution, the initial authentication takes place either with the user verifying themselves directly to the IdP, or via the enterprise’s existing corporate directory. While this may be perceived as a single point of failure, the reality is that the alternative – requiring users to memorise dozens of different corporate passwords – creates many points of failure which are far weaker and more difficult to secure. Using SSO to leverage the trust delegated by the corporate network ensures even cloud applications can have the same level of security as the corporate network.Why is SSO more secure?
Maintaining so many passwords is only possible for the typical employee by adopting unsecure practices such as writing passwords down, reusing them, or using easy-to-crack passwords. If the user is only required to authenticate themselves with a single set of credentials, additional layers of security are easily added to this, such as the requirement to be on the corporate network (either physically or through a VPN), or the addition of Multi-Factor Authentication.
The greatest risk to corporate data is unauthorised access to the cloud applications that exist outside of the network perimeter. Having an SSO solution in place enables these apps to be protected, either by:
- Leveraging passwordless authentication where supported, using identity protocols such as SAML or OIDC.
- Where passwords are required, using an SSO solution that can make these all unique, high-entropy passwords that are orders of magnitude more secure than passwords created and managed by the workforce.
Where the workforce are responsible for managing corporate password, this opens up the enterprise to the following risks:
Phishing attacks
The growth of phishing represents the biggest challenge in cybersecurity for enterprises, with Verizon’s Data Breach Report finding that phishing was the most common action in data breaches, present in 36%.
In more modern, sophisticated attacks, users are usually redirected to a login page which is a spoofed version of a site or app they may frequently log into. When their credentials are entered, the attacker can use these to gain access to their account in the future, as well as any others that reuse the same credentials.
When an organisation implements an SSO solution, however, passwords are either replaced with token-based authentication, or can be hidden from the workforce. This essentially makes a successful phishing attack impossible – in the case of token-based authentication, there is no password that can be entered into a spoofed site, and in the case of and SSO solution that can hide passwords from users, the user cannot be phished of the password since they are not aware of the passwords. In both cases, the SSO solution will also not recognise the site as trusted, so no credentials will be disclosed.
Brute force attacks
Where password-based authentication is used, brute force attacks are always an option available to hackers looking to break in. By using programs which test millions of combinations of usernames and passwords per second, these attempt to simply guess their way into any account. With the increase in hybrid working environments, these have become a particular issue since they often target Remote Desktop Protocol ports, which are required to be open for many remote working situations. By prioritising commonly-used passwords, these programs are able to exploit lax practices when employees are responsible for creating and managing credentials themselves.
With SSO, token-based authentication makes brute force attacks impossible, and even where passwords are still used, extremely strong ones can be generated which will take far longer for brute force methods to crack, allowing attacks to be detected before they cause a breach.
Credential-stuffing
With four in ten UK businesses having suffered a data breach in the past 12 months, there’s a likely risk that many enterprise accounts are already compromised, particularly where employees reuse passwords that they also use for personal accounts outside the organisation. Credential stuffing attacks use a similar method to brute force, but first attempt to use credentials that have been compromised in previous data breaches, a problem exacerbated by the reuse of passwords.
With SSO, passwords are never reused between accounts, and token-based authentication ensures that the secure tokens are only valid for each individual session, making it impossible for hackers to leverage previously compromised credentials to attack other areas of the network in future.
Using Easy to Guess Passwords
Numerous surveys have highlighted the risks of letting employees create their own passwords for corporate applications. Left to their own devices, the workforce will create passwords for corporate applications that only just satisfy the application’s password policy but make it easy for the employee to remember. Examples of this would be choosing passwords that include the name of the company they work for with a number added at the end. This will satisfy most password policies but create a huge risk for the enterprise, particularly where corporate data is being stored in external, cloud applications.
Using a modern Single Sign-On solution that handles password-based authentication for web applications, and can enforce password policies on these external applications can ensure that external passwords are long, random, high-entropy strings of characters, numerals and symbols, making it almost impossible to guess the passwords that are used by the workforce.
Password Re-use
Another significant risk vector for enterprises is where the workforce re-use the same password across multiple applications. An example of this would be where they use the same email address and password combination for all of the corporate web applications they use. Another example would be where the employee uses an email address and password for personal applications and then re-uses these credentials for corporate web applications that are storing sensitive data in the cloud.
If one of these websites or applications is breached and malicious actors gain the email addresses and passwords, then password re-use by employees creates a domino effect that will enable the attackers to compromise multiple applications used by that user and potentially compromise corporate data as a result.
Modern SSO solutions that can enforce password policies on external cloud applications mitigate this risk by enabling enterprises to ensure the passwords being used by on each external application is random and unique.
Unsecure Password Storage
Numerous studies report the average employee has to manage anything from 25 to 200 corporate related passwords. Without an effective SSO solution in place this becomes almost impossible to manage securely and often results in users storing corporate passwords in unsecure locations. This might be spreadsheets or word documents, held locally, on shared servers, or even in cloud based document sharing applications. These locations are often not secure and offer rich pickings for malicious actors, creating a vastly increased attack surface for malicious actors.
Modern SSO solutions offer the benefit of being able to mitigate this risk as they are capable of providing a solution that can provide users with access to applications using authentication protocols so no passwords are required. For applications that do require passwords, modern SSO solutions often provide some integrated Enterprise Password Management functionality that can be used to enable password-based SSO and mitigate the risk of users storing passwords in unsecure locations.