Is Single Sign-On (SSO) the answer to our Identity-related struggles? Microsoft, Google and other tech giants are rolling out their own SSO features, seemingly emphasising that the focus shouldn’t be put on making passwords more challenging, but rather, we should be reducing the overall number of passwords we use. Leveraging this point, this blog offers up SSO as a potential solution to our password woes. But is it really that simple? Sure, SSO is convenient, but is it really the precursor to a passwordless future? There’s a lot more to this discussion on passwords, SSO, and cybersecurity. So, here is MOQdigital’s take.
Single Sign-On: Why Isn’t It Enough?
Single Sign-On (SSO) is the practice of using a session and user-authentication service that permits an end user to enter one set of login credentials (such as name and password) to access multiple applications. A user simply logs into their SSO portal and then they can seamlessly access all applications without having to authenticate again (during a single session, such a normal work day).
It’s true that SSO portals help organisations address important identity challenges, while offering clear productivity and user experience benefits. Many organisations see the effects of these benefits and assume it is meeting all their identity and access needs.
However, this simply isn’t the case. MOQdigital cautions against relying on SSO as the sole identity measure, as it is but a component of the larger Identity Management system; it only improves your security posture when combined with other identity and cybersecurity solutions.
By condensing all applications down to one username and password, your Identity Management is only as robust as that one set of credentials. If it's a horrible password, your security situation hasn't improved. Furthermore, if a hacker gets a hold of a user’s SSO login credentials, they can access all the user’s resources. This is especially dangerous if that user has access to privileged information or mission-critical data.
So, What’s Wrong with Passwords?
For years, users have been asked to create and remember an increasing number of passwords—each bound by increasingly complex policies and rules. But has all this time you’ve spent trying to create tougher-to-crack passwords really been a waste? Not really.
While it is true that some companies may be a little too heavy-handed regarding password management, and overly stringent password policies don’t necessarily increase security, the reality is that passwords aren’t completely going away any time soon. This means that users need to do everything they can to secure the passwords they've got—especially their SSO password.
Current recommendations are to encourage longer passwords without expiration but check passwords against common lists and previously breached passwords. This has the positive benefit of increasing usability and security.
As an additional measure, MOQdigital recommends storing passwords in a password manager that organises and secures your many passwords for you, so users can have long, unique passwords without needing to remember each one.
Balancing Usability and Security with Multi-Factor Authentication
Really long passwords and password managers may be the safer bet, but even the best passwords aren’t enough to keep an organisation safe. While brute force attacks that “crack” a user’s password do still occur, far more attacks simply trick a user into giving up their credentials, such as phishing attacks, malware, and keylogging.
To prevent unauthorised access due to stolen credentials, organisations should implement multi-factor authentication (MFA). MFA prevents unauthorised access by adding a second or third verification method in addition to username/password. So even if a user’s password is compromised, the attacker still wouldn’t have the other authentication factors.
Many of today’s MFA solutions offer the flexibility to increase security without negatively affecting usability. These solutions can manage multiple forms of authentication simultaneously and can assign different forms of authentication to end users for different access scenarios.
You can also tailor the level of authentication required based on the risk level a user presents with risk-based authentication. So, more stringent authentication can be required for high-risk scenarios, while users in low-risk situations don’t have to be overly burdened with additional steps when logging in.
For organisations with SSO portals, this allows end users to still be able to benefit from the productivity and efficiency benefits associated with SSO, while overcoming the associated security limitations. When logging into an SSO portal, MFA augments password strength by adding additional layers of protection or can even be used to replace passwords with different authentication methods altogether. Additionally, if a user has access to a sensitive system, MFA can be applied to that specific system for added security.
What About a Passwordless Future?
Is all hope for a passwordless future lost? Not at all! Implementing solutions, such as MFA along with SSO can help organisations find the right balance between maintaining usability and convenience for users and overall security. Furthermore, MFA can be tailored to an organisation's unique needs and security requirements.
MFA solutions are moving in that direction as organisations look for sophisticated authentication methods that enhance security without burdening users. For modern applications, organisations can implement alternative authentication methods, such as push notifications, OTP soft tokens, fingerprint biometrics, and RFID cards in place of traditional passwords. When passwordless authentication is combined with risk based access controls they enable allows an organisation to simultaneously increase security while decreasing user friction.
SSO/MFA and MOQdigital
SSO and MFA are necessary components of not just your organisation’s cybersecurity capabilities, but as a foundation for digital innovation.
To assist you in planning your Identity Strategy, MOQ offers three engagements depending on your identity maturity:
- Snapshot: If you are new to Identity this quick free engagement will give insight into your current identity state and potential gaps.
- Securing Identities Workshop: If you know you are ready, this 3-day workshop will jump straight into planning.
- Identity Strategy: If you need assistance at a strategic level, we can assist with building out this plan and implementation.
If you would like to learn more about how MOQdigital can help you on your identity journey, please contact us here.