Traditional authentication schemes see users needing to create, and remember, separate login details for each service or system they use. With the average organisation using over 1000 distinct cloud services, the burdening of users to remember countless different passwords raises the security risk through password re-use, or the increasing use of less complex passwords as users become fatigued with their overwhelming number of credentials. Further, these credentials are most often stored in an abstracted, remote datastore that is unique to each application or service; there must be an implicit trust that the service is correctly and securely storing these passwords, and that any compromise is disclosed quickly enough to act.
Single sign-on, as the name suggests, instead allows users to authenticate with external services using a single, common set of credentials such as a domain account. Account credentials can be stored internally in a trusted and known environment that the organisation controls, and users need only remember a single set of credentials.
The increasing use of SSO has coincided with the rise in cloud services and applications, and a highly mobile workforce. Organisations are increasingly being faced with challenges in efficiently creating, managing and auditing user accounts, applying permissions and offboarding staff who leave the business. From a security perspective, the sheer number of user credentials and potential for poor password hygiene or re-use represents a significant risk to an organisation, and a valuable target of cybercriminals. Each new login is an opportunity for adversaries to compromise a user’s details, particularly when coupled with BYOD or devices not controlled by the organisation, hampering an organisations ability to audit and protect their assets.
Single sign-on can bring efficiency gains to organisations, simplifying the user management process and roll out of new SaaS products. Support teams also spend less time managing account creation and password reset tickets, giving them time to focus on more valuable efforts.
Users need only remember a single set of credentials, reducing the need to re-use the same password, or simple passwords across several systems. Users are incentivised to hence use a much more complex password, and organisations can enforce this with less friction.
Sporadic implementation and activation of MFA across several services presents a security risk for account compromise. SSO gives organisations the ability to enable MFA at the single authentication service level, enforcing its use across the business.
Account instantiation, new user authorisations and rollout of cloud-first applications is simpler for both IT teams and staff. SSO enables highly scalable user management.
A highly mobile workforce means staff are no longer just in the office; SSO gives organisations the flexibility to grant staff access to applications when working on-site, while limiting those when working remotely, improving overall security posture and mitigating potential for compromise.
Utilising SSO gives organisations visibility into staff login/logout and application usage, and enable analysis and security auditing of ongoing activity through logging.
Implementing single sign-on at an organisation is often more complex, and can take longer to setup than expected. Before starting, it is key to plan the approach in detail; initial planning should include:
It is also important to recognise that SSO has challenges associated with it, and it cannot be considered a silver bullet to enterprise user management. In traditional authentication schemes, users may have different passwords for each service, reducing the attack scope in case of compromise. With SSO however, a compromise of a user’s single account credentials gives cybercriminals access to every system the user is authorised to use. This is mitigated however through enforcing complex passwords and requiring the use of multi-factor authentication for all users.
Single sign-on configurations also represent a single point of failure; several situations may lead to a loss in connectivity to the SSO authentication server where interruptions can cause critical business failures where users are unable to access any external service configured with SSO.
The implementation of authentication protocols utilised by SSO, namely SAML or OAuth are themselves not immune to security vulnerabilities. Previously discovered vulnerabilities have allowed adversaries to manipulate protocol requests without breaking the cryptographic signature, ensuring the request remains valid, and allowing the adversary to login as if they were their target. The level to which these vulnerabilities can be exploited however lies with the quality of implementation. Trusted SSO providers invest significant resources into developing secure and scalable platforms, and a key part of rolling out SSO is in choosing a high quality and trusted provider.