Hi there! If your organization has jumped on the single sign-on (SSO) bandwagon recently, you‘re not alone. SSO adoption has skyrocketed due to the flexibility and convenience it offers modern workforces. However, many IT leaders wrongly assume SSO eliminates the need to worry about password security.
The truth is, while SSO delivers immense value, it also introduces substantial password-related security gaps. In this guide, I‘ll walk you through:
- The accelerating adoption of SSO
- The password problems SSO fails to address
- Steps you must take to fully protect credentials in your new SSO environment
As an experienced cybersecurity advisor, I want to make sure you implement SSO safely. By complementing it with a layered identity and access approach, you can uphold security while your workforce enjoys simplified access.
SSO Goes Mainstream
SSO isn‘t new – early forms emerged nearly two decades ago. But COVID-19 era remote work priorities have made it hugely popular.
- 64% of organizations now use SSO, up from just 51% in 2021
- 97% of IT leaders say SSO is crucial for supporting remote/hybrid environments
- 71% view SSO as a top platform for enhancing operational efficiency
Why the surge in SSO adoption?
SSO eliminates the chore of remembering passwords for each individual application or service. Instead, users only need to recall one password to seamlessly authenticate and gain access to all their web apps.
Obviously, this saves employees time by removing constant password entry interruptions throughout their workday. Based on typical app usage statistics, SSO can save up to 4-6 minutes per employee every single day. Across an entire organization, this adds up substantially.
Additionally, consolidating access through SSO allows much faster deployment of cloud solutions. With a simplified means to apply consistent controls and manage user lifecycles centrally, IT teams can onboard new web apps in days rather than weeks.
These impressive productivity and flexibility benefits explain why SSO adoption is accelerating. However, many IT leaders wrongly assume SSO eliminates any need to worry about password security. Unfortunately, that‘s a dangerous misconception.
SSO Opens Password Security Gaps
The whole point of SSO is to make accessing apps and services easier for end users. But that convenience comes at the cost of reduced password control and visibility. Specific password-related risks introduced by SSO include:
- Single point of failure – One SSO password governs access to everything. If it is compromised, the attacker gains access to all accounts.
- Unsupported apps – Legacy and some modern apps don‘t support SSO standards. Passwords for these apps remain uncontrolled.
- Inconsistent protocols – Applications utilizing different identity protocols than your SSO can‘t be integrated.
- Riskier user habits – IT loses visibility into things like password reuse, sharing, and overall strength as users no longer need to regularly reset passwords.
- Unmanaged privileged access – SSO focuses on ease of access rather than least privilege for admin accounts.
According to Verizon‘s 2022 breach report, compromised user credentials account for over 80% of breaches. And privileged credential abuse enables adversaries to advance attacks in 82% of cases.
So while SSO offers some security improvements, significant password-related security gaps remain unaddressed. These gaps open substantial holes in SSO deployments:
Percentage of Breaches Involving Compromised Credentials
| Year | Percentage |
|---|---|
| 2019 | 67% |
| 2020 | 76% |
| 2021 | 81% |
| 2022 | 82% |
Most Common SSO Security Deficiencies
| Deficiency | Percentage |
|---|---|
| Unsupported apps unmanaged | 72% |
| Risky end user password behavior | 63% |
| Inadequate privileged credential controls | 49% |
| Overly broad user access permissions | 43% |
These numbers highlight that while SSO offers some security improvements, significant password-related security gaps remain unaddressed. Relying solely on SSO sets you up for credential-based attacks.
4 Critical Steps to Secure SSO Environments
The answer isn‘t to abandon or scale back your SSO initiatives. When layered with other key solutions, you can activate SSO across your organization while still upholding credential security.
1. Set Least Privilege Controls with RBAC
As you interconnect applications through SSO, it becomes easier for users to accumulate excessive access privileges. To counteract this risk, actively apply the principle of least privilege.
This states users should only have the bare minimum level of access to systems they require to do their specific jobs – nothing more broad or elevated.
Role-based access control (RBAC) provides the mechanism to achieve least privilege at scale. Rather than assign permissions directly per user, you create groups, designate restrictions per group, and add users to appropriate groups. This simplifies access management enormously versus individual user assignments.
Over 80% of organizations rely on RBAC combined with SSO to prevent privilege creep. The groups construct also eases auditing for compliance against frameworks mandating strict access controls like SOC2.
2. Secure High-Risk Privileged Accounts with PAM
While SSO focuses on enabling access, privileged access management (PAM) solutions take the opposite zero trust approach for privileged accounts like sysadmins. This includes functionality like:
- Requiring dynamic, short-lived credentials for admin sessions rather than static all-access passwords
- Restricting what actions privileged users can perform within sessions
- Recording videos of all activity within privileged sessions for forensic auditing
According to Gartner, over 80% of breaches involve misused privileged credentials. Hardening these highest-risk accounts is essential, even with SSO to handle standard user access.
3. Enforce Additional Authentication with MFA
Adding secondary authentication via multi-factor authentication (MFA) provides another layer of protection against compromised credentials.
Requiring a one-time verification code in addition to a password makes stolen credentials exponentially less valuable. Consistently enforcing MFA organization-wide blocks over 99.9% of credential-based account takeovers.
The only catch is that entering MFA credentials constantly reduces convenience. Modern password management tools like Keeper can store and auto-fill one-time codes to retain ease of use while layering on critical secondary authentication.
4. Unify Password Management Across All Apps
The most comprehensive solution for managing passwords beyond SSO is a dedicated password management platform. Solutions like Keeper provide:
- Encrypted password vault to securely store credentials
- Automated password generation and autofill functionality
- Visibility into password habits across all apps – SSO integrated or otherwise
- Consistent password security policies enforcement
With Keeper, end users retain the simplicity of only needing to remember one master password for easy access. However, IT admins also regain oversight into access controls which SSO tends to obscure.
This allows stronger governance of credential security as users self-manage passwords across cloud apps, legacy systems, and everything in between from one central interface. The result is a best-of-both-worlds scenario: employees enjoy simplified access while credential risks are minimized.
Embrace SSO But Keep Password Security Top of Mind
I hope this outline has clearly conveyed that while SSO delivers immense productivity and flexibility upside, it also introduces substantial credential-related security gaps. Relying solely on SSO as a magic bullet solution is downright dangerous without auxiliary password management capabilities.
The most effective approach is layered security – embrace primary SSO for simplified access, but complement it with enhanced controls via RBAC, MFA, PAM, and enterprise password management.
With the right supplemental password policies and technologies in place, companies can continue rapid cloud expansion through SSO while upholding critical identity and access safeguards. The key is acknowledging that SSO itself is not enough from a password security perspective – gaps will exist unless adequately addressed.
If you have any other questions about shoring up credential security within your SSO environment, don‘t hesitate to reach out! I‘m always happy to help IT leaders implement identity frameworks that balance both productivity and protection.
