What is SSO and how Keyless helps improve SSO security
16 February 2023

What is SSO and how Keyless helps improve SSO security

16 February 2023

The average business typically has multiple subscriptions to a vast number of cloud services or online-enabled software such as Microsoft OneDrive, Teams, and the Google Workspace suite. With every site or service requiring unique and often complex login credentials, employees will often reuse passwords to make their login information easier to remember.

As we have previously highlighted, passwords are no longer able to fulfill the simple role they were designed for and have lost both their intuitiveness and effectiveness when it comes to mitigating unauthorized access. Unfortunately, despite a steady increase in hacking attacks and data breaches caused by compromised credentials, passwords are still the most common method of verifying a user’s identity online.

Reusing passwords poses a significant threat to both employee and company security. While Single Sign-On (SSO) authentication can somewhat reduce this threat by allowing users login to multiple applications with a single password, there are still security risks. With SSO, it only takes one password to be compromised for a bad actor to access a wide range of internal apps and systems. SSO security can be improved by replacing passwords with Keyless’ passwordless authentication solution.

What is Single Sign-On (SSO)?

SSO is a session and user authentication service that allows a user to access multiple applications and services using only one singular set of login credentials. 

One of the main benefits for both employees and businesses using SSO is the fact that it allows enterprise users to avoid having to create a unique password for all the applications that they need throughout their working day. As such, this means that businesses using SSO can reduce their security vulnerabilities while also increasing employee productivity and collaboration.

SSO authentication works on a trust-based relationship between an application (service provider) and an identity provider. This “relationship” between identity and service provider is based on a certificate of authentication that is exchanged between the two parties when the user attempts to log into an application. 

Security concerns of SSO Integration

One thing is clear - SSO improves the user experience. But at what cost? Let’s take a look at the security risks associated with an SSO authentication model.

Extensive multi-application access

Data from the Verizon Business 2022 Data Breach Investigations Report showed that hacking was the most common form of data breaches, with a Denial of Service (DoS) attack and the use of stolen credentials both equally responsible for 40% of the hacking actions taken last year. 

An SSO service is a potential golden ticket for cybercriminals because once a hacker has obtained the SSO login credentials, they can automatically get access to any number of applications that are linked to that specific account. Depending on how a user is authenticated (i.e., via OTPs to an email), a hacker could also take full control of an employee's email account and use this to register for even more services.

SSO authentication can also raise issues for businesses that have multiple users on a single device. For example, if the previous user forgets to completely log out of the SSO service before leaving the device, any accounts authenticated to that user will still be accessible on that same device for the next employee. Depending on the intentions of the second employee using the device, they could use their colleague's account to defame others, which could result in the termination of the wrong employee.

SSO is dependent on identity partners

Many SSO services rely on external identity providers (such as Apple, Facebook or AWS) for Identity and Access Management (IAM) to verify and authenticate a user. However, should the third-party identity partners service be unavailable for whatever reason, the end user will be unable to access any of their accounts.

In practice, this means that even if the application’s (or service provider’s) service is available, a user will not be able to access their account directly. Instead, the user must wait until the identity provider's services are back online in order to use their account.

Little adherence to the principle of least privilege

The principle of least privilege dictates that a user should only have access to the minimum data, applications, and files needed to do their job. For example, under this principle, if a user wishes to access a file outside of their job range, they will need to request access before they can view or edit the file.

However, SSO systems do not necessarily limit certain users from only accessing content that is relevant to their position. The security concern with this is that you could potentially have senior-level, company-sensitive information being viewed by junior or freelance staff. Depending on what security procedures are in place, a rogue employee could also sabotage company documents if they haven’t been write-protected.

The benefits of passwordless SSO

Keyless partners with major identity providers by combining authentication with SSO to provide customers with a best-of-both-worlds passwordless SSO authentication technology, offering greater security for businesses and employees, as well as improved usability for the end user.

Unlike traditional password-based systems that have the potential to be hacked due to compromised details or phishing attacks, with passwordless SSO, there is no password to steal.

As shown in the video above, passwordless SSO allows individuals to use several different services, without the risk to user privacy. Users who wish to log in to a particular service or application only need to tap a notification on their linked device to be authenticated.

Lastly, passwordless SSO also alleviates the workload of IT teams, which are often burdened by password reset requests. According to a study by Gartner, 40% of an IT team's time is taken up by such tasks.

Learn more

If you’re interested in discovering the enhanced employee experiences that SSO identity systems offer but are concerned about the potential security threat to your organization, why not give passwordless SSO a try?

Discover how Keyless can help your organization securely authenticate employees without passwords OTPs, or hard tokens by clicking here.

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.