Overcome The Security Limits Of SSO With MFA
Understanding what is SSO and how it works
Single sign-on (SSO) is an authentication method allowing a user to use one set of login credentials - most of the time ID + password - to authenticate at the beginning of his/her work shift. This way, the user can enjoy access to multiple applications and websites without having to lose time login in again. A kind of “master sign-on”.
Each time a user logs into an SSO service, the service will create an authentication token that remembers that the user is verified. Any application or website that the user later visits in his work shift will check with the SSO service who will send the user's token to confirm his identity and give him access. You can imagine this token as being the "keys to the castle". This means that when a user logs in to another application or software after his first “master sign-on”, the SSO solution logs in on their behalf.
This master authentication made possible by a SSO solution must be protected by an additional and complementary solution called MFA (Multifactor authentication).
Beware of the security limits of SSO
Surely SSO is a gift to users: being able to access everything without additional login. But with this added value in productivity comes an increase in security concerns, with a need for a more secure environment.
Imagine if a hacker gained access to a user's SSO credentials. This means that all other applications and resources to which the user has access are compromised. It's like putting all your eggs in one basket.
Get the best of both worlds by combining SSO and MFA
If you are an organisation that "puts all its eggs in one basket" using SSO, then you need to be sure to protect that basket and secure it’s access. The answer is not to remove SSO, but rather to fill in the security gaps without compromising the user experience.
This makes it essential to deploy additional authentication mechanisms beyond a simple combination of ID + password. With SSO you need to ensure that access and identities (credentials) are well protected and secure, for example by combining it with a strong authentication solution (MFA).
According to Microsoft, MFA blocks more than 99.9% of account compromise attacks.
Benefits of combining SSO + MFA
Combining SSO with MFA in a business authentication strategy is a good practice for many reasons when it comes to UX, security and IT management.
Enhanced security. Using an SSO solution limits the “zone of attack” for cybercriminals and makes it easier to implement enhanced security measures across multiple services at once. Adding MFA will back up the level security of an SSO solution.
Agility and productivity. SSO+MFA is a way to boost agility and productivity as it provides employees immediate access to thousands of applications in a very secure way.
No more password hassle. Combining SSO with a passwordless MFA is “the cherry on the cake” when it comes to the user experience.
Faster and seamless login experience. SSO offers a faster login experience and some MFA technology can simplify the "master login" experience.
Simple user access management and auditing. SSO can be used to configure a user's access rights, for example according to his role, department and/or seniority level. In addition, when an employee leaves the company, it is easier to remove their login privileges.
Fewer helpdesk activity. Enabling SSO is a great way to reduce the number of end users calling for support because of a password issue. And by choosing the right MFA solution, you can go passwordless, which reduces even more the helpdesk activity.
Not all MFA solutions will secure your SSO to the same extent
Not all MFA solutions are the same as the technologies behind them are quite different. There are several other criteria to consider when evaluating the security and user experience of the different vendors.
Some MFA are not even natively 2 factors which means they really are just "+1FA" tools, adding a single extra factor to an existing password. While other multifactor authentication solutions are natively 2 factor and passwordless.
Our latest news
inWebo acquires TrustBuilder to bring adaptive and orchestrated Identity and Access Management solution to market
inWebo acquires TrustBuilder, a specialist in CIAM (Customer Identity and Access Management). This transaction will allow the pure player in multi-factor authentication (MFA) to serve even more customers...
To market their products in the United States, companies in the pharmaceutical, cosmetics and food industries must meet the requirements of 21 CFR Part 11....
Strong authentication requirement on Salesforce: MFA passwordless and smartphoneless for all your applications
Strong authentication requirement on Salesforce Take advantage of this to deploy MFA passwordless and smartphoneless on all your applicationsFrom February 1, 2022, all users who use Salesforce...