Single sign-on (SSO) reduces credential fatigue while presenting unique security considerations that require careful architectural planning. In particular, SSO implementations must balance user experience with layered defense mechanisms.
From a user perspective, SSO provides the ability to login once and start using their chosen applications, saving time and effort. But from a threat actor’s viewpoint, a single log in means something different. It can be one point of entry to multiple applications, email inboxes to reset and change passwords, and for carrying out malicious activity undetected.
Of course, the alternative is a scattered environment with various entry points and passwords. The resulting lack of visibility means IT teams have no way to monitor, control and detect anomalous behaviors.
Password reuse across multiple logins
The rise in BYOD means that boundaries are blurred between personal and professional workspaces. Any user recycling passwords, or using their corporate email to sign-up for consumer services, can put the business at risk. Especially when Phishing and social engineering remain highly common threat vectors, along with brute force attacks.
If a personal password is breached, the fallout can now extend to a victim’s workplace. That’s what happened with the LinkedIn 2012 hack. One compromised victim had reportedly used the same now-breached password for their Dropbox account. This allowed attackers to gain access to the filesharing service’s user database, leading to the leak of over 68 million email addresses and passwords.
In recent years, it’s no longer just human logins that can be compromised.
Non-human identities requiring access
More entities are connecting to environments for integrations with third-party apps, APIs and devices.
There’s efficiency and scalability that comes from being able to run autonomously. Yet without supervision and adequate lifecycle management, there’s a risk that any compromise may stay undetected. After all, machines also need to be granted access, given roles and granted permissions. But this is often at scale and with high complexity, such as with thousands of IoT devices or sensors that provide constant sources of data, with . At such volumes, it’s natural to want to streamline entry points. However, automation doesn’t necessarily reduce the attack surface.
Single point of failure
It’s perfectly acceptable to advise a workforce not to reuse passwords when using multiple software products. However, the average large enterprise is reportedly using 664 apps on average, with individual users accessing 11 core apps daily on average. This necessitates automated user provisioning/deprovisioning systems to maintain least privilege access. Moreover, faced with growing volumes of logins to remember, employees are often advised to use a password manager. And while a single repository means a simpler way to manage passwords and access applications, it also means a single point of entry if their master password is breached.
There may also be unmanaged apps or other Shadow IT around the edges. These are often more complex to monitor than birthright access apps such as email, document management or HR and CRM. Without full visibility there’s an increased attack surface from unmanaged renewals and expiries, unnecessary license usage and standing privileges, plus potential gaps in compliance and governance.
What SSO looks like with the right controls
Peel back some of the layers of single sign-on, and there should be centralized, secure, automated access management, where entry conditions are managed in a way that ensures security without vulnerability. The goal is to find the right balance between convenience and security for enterprise users.
Building a federated trust network
Despite the ‘sign-on’ in SSO, SSO isn’t simply a case of signing on to a network and gaining access. Entering the username and password should trigger a host of identity-related actions that determine whether access is granted. It’s done with protocols such as SAML 2.0 and OpenID Connect. SAML 2.0 enables XML-based authentication assertions between identity providers and service providers, while OpenID Connect uses JSON web tokens for modern web and mobile implementations These offer secure authentication protocols for use with VPNs, firewalls, device apps, plus cloud and on-premise resources.
For example, an Identity Provider (IdP) can monitor the device ID to check if the device has previously been used to login. This can include building device profiles, containing information on browser and operating system used. Also monitoring the geographic location, triggering further identity checks if the login comes from an unrecognized or new location. The result is smoother login experience for approved users, with hardened security and an identity fabric across an integrated ecosystem.
Automating security at scale
SSO goes beyond the capability of password-based managers. Because when trust is approved on one system, users can be approved on other systems automatically, rather than relying on manual processes. When credentials are compromised, anomaly detection can be triggered to deny access to all the other platforms that are part of the federated environment.
Alongside the boost to security, there’s the agility that comes from accelerated access policies. Predefined rules help to reduce friction for users, and also support compliance and create a unified audit trail. Further sophistication comes from Advanced Authentication, allowing businesses to secure and simplify access at scale.
Advanced authentication
Advanced Authentication brings in technologies such as machine learning (ML). Login attempts can be automatically assessed for risk levels, with machine learning algorithms adjusting security protocols based on user identity profiles. Setup varies based on business requirements, such as industry and level of regulation. For example, some may combine Multi-Factor Authentication with behavioral analytics, for real-time analysis and contextual evaluation of login credentials.
For an added security layer, authentication can even go beyond logins and use passwordless authentication. This solves the risks of password-related compromises, by verifying identities based on biometrics or possession factors instead of passwords.
If attackers can leverage AI, so can defenders, in the form of AI-powered pattern detection. Broadly, this means identifying and acting on patterns in data. When applied to cybersecurity, the AI can learn individual user behaviors and create a baseline of acceptable risk and ensure a positive experience for legitimate users. Any deviation from the norm means the AI can flag potential malicious activity and request additional steps from potential threat actors. Essentially, finding the between user experience and enterprise protection.
Usability & security: Creating a best-of-both worlds solution
With the above elements controlled, it’s time to put them in the right place. That means making sure any security program – spanning corporate mentality to overall strategy to vendor selection – is fully user-centric. It’s an outcome that successful security leaders achieve by:
- Building in usability to the security charter
Hiring talent that understands how to make security the easy and default option for users, so they’re not tempted to use risky workarounds to achieve their goals - Asking the right questions when selecting vendors
Making sure procurement processes ask vendors exactly how their solutions support both usability and security, without the need for compromise or trade-off - Partnering with users to develop their security knowledge
Strengthening the business’s first line of defense against threats, offering training and education to recognize and react to potential threats
Implementation Checklist for Secure SSO
To operationalize these principles, consider the following measures:
- Secure SSO Portal Configuration
It’s SSO, with increased security that comes from policy-driven password protection, MFA and context-aware access management.To harden security further, it’s possible to make password policies more restrictive, with greater length, complexity, and reuse restrictions. Additionally, session timeouts and self-service resets help bring a balance of heightened security and increased usability. - Adaptive Multi-Factor Authentication Deployment
The adaptive element takes authentication beyond static rules-based MFA. Where users have to authenticate at every login, and organizations remain vulnerable to brute force and spear phishing attacks. Instead, AI is deployed in adaptive MFA to dynamically adjust authentication requirements. There’s real-time assessment of login attempts, with low risk users allowed appropriate access at the right time. - One-Time Password (OTP) Protect
To reduce any friction from MFA, OneLogin Protect allows a user to log in from push notifications sent to their device. Validation happens in OneLogin, where there’s a time-based one-time password algorithm (TOTP). This allows endpoints to exchange secure-one-time passwords within a 30-second period, based on the HMAC algorithm.
SSO should be implemented as part of a Zero Trust architecture to align with modern security frameworks. With “Zero Trust,” access should no longer be granted based on network location. Instead, it should be informed by a user’s authorized access, information about the device they are using, and contextual information about what is normal for the type of access request.
With these measures in place, businesses can solve challenges around password overload and reuse, reducing the number of logins needed while also reducing the attack surface. Increased self-service capability puts less of a burden on IT and their service tickets. Finally, by moving to a model of risk-based authentication, there is less of a chance of privilege creep.