Several of our customers have asked whether Microsoft’s recent report on single sign-on flaws should make them worry about single sign-on in general.
Microsoft’s research paper focuses on the single sign-on protocols Facebook Connect, OpenID and Google ID. These are all social single sign-on systems whose primary objective is to provide convenience to the user rather than very strong security. As an example, when Facebook Connect was first announced, it was positioned as an easy way for third party sites to tap into Facebook’s social graph. Once you are signed into Facebook, sites like Yelp can use your active Facebook session to extract your name and photo as well as make it easy to post your own reviews on your Facebook wall.
Social single sign-on solves a different problem than enterprise single sign-on, which is designed with security as the number one priority. Security Assertion Markup Language (SAML) is the standards-based enterprise single sign-on protocol used by leading SaaS applications like Google Apps, Salesforce and WebEx. SAML’s security uses digital signatures to ensure message integrity and authentication. OneLogin’s SAML implementation uses 2,048-bit keys, which are considered to be impossible to break with the processing power available today and well into the future.
It can be hard for most people to grasp just how strong a 2,048 bit key is, so here is a video that visualizes how long it would take to crack a 2,048 bit key using a modern desktop computer.
If you want to understand the math behind the video, check out the details here.
The math itself behind SAML is very strong and when vulnerabilities in enterprise single sign-on are found, they are related to a vendor’s implementation of the protocol and how it is integrated with the rest of their service. For example, a vendor may allow users to sign in with a password even when SAML is turned on, which could be viewed as way of circumventing multi-factor the authentication enforced by the identity provider.