Single Sign On Solutions and How They Make You Vulnerable
by Brian Kelley, on Wed 16 August 2017
Single sign-on could be the closest thing we have to an authoritative and universal passport, both for your local device and the internet in general. But authentication that excludes intruders and also proves the user's identity is still an area that stops most SSO solutions from ever getting it completely right.
Our computers and smartphones make everything easier, except the increasingly complex security realm. Logging in once sounds like it should be a no-brainer: Why prove yourself to your computer or phone more than once after you unlock it, open the browser, and begin your business? It's logical to presume that it’s you using the device since you managed to open it in the first place. That's how authentication and single sign-on should work.
Or, that's how we all wanted passwords to work all this time, but they don't. SSO is just a step in helping us clean up our password-saturated lives. The innovations in convenience and usability are here, but the glaring weak point that is your password-based credentials remains.
SSO, from the scale of Facebook to internal private software systems, works fine, but it never addresses how you authenticate yourself. While it ramps up the speed and simplicity factor, it opens up some questionable security doors while closing others.
Is Single Sign-On Just a Single Point of Failure?
Yes and no. Single sign-on without the right authentication isn't going to solve any security issues. A compromised password is one thing, but a compromised password with linked access to an SSO solution is much worse.
There’s an endless supply of apps, services, e-commerce websites, and more that require a username and password to sign on. And of course, a vast majority of them only give the option of setting and reusing weak passwords. In this scenario, SSO reduces the total amount of password accumulation, since the identity providers don’t need to store or securely hash the user’s password data.
Storing credentials in multiple places, hashed or not, is increasing the odds of someone stealing at least one set of them. On the other hand, services that don’t store that data and confirm the user through the identity provider keeps one less set of credentials off of a data center somewhere in the cloud. In the odds game, it's putting your eggs in one basket.
That creates the nightmare scenario where password fatigue and misuse exposes multiple accounts. It's not hard for an intruder to find other accounts and services with SSO access.
When it comes down to it, signing on once is not an insecure process, it's all in how you sign on in the first place. Current secure operations of SSO should at least supplement an MFA method. The good thing about putting your eggs in one basket is that you can at least build a shield around it.
Imagine what single sign-on could look like without a password.
So few are talking about authenticating the actual user when they log in, that's still hard to pull off with a password alone. If you aren't proving you're you, SSO is merely presuming it's you and completely misses the authentication problem it could easily solve.
The increased focus on protecting the first set of user credentials can make or break any attempt at a secure single sign-on. So there's this one small step in the greater goal of convenient signing in that just keeps getting in the way, and it's passwords again.
And that password saturation wastes time for the owner while leaving openings for a break-in. It seems all that's left to do is just rely on them even less than we do now. If MFA methods serve as obstacles for a stolen password, then can't one of them be in the way of the password being stolen in the first place?
Pairing a robust authentication service with an SSO solution can revolutionize security for everyone involved. You can try out password-less authentication tools by checking out our free demo below!