Single Sign-On (SSO): Pros & Cons
Facebook. Nieman Marcus. T-Mobile. Panasonic. Volkswagen.
These are just a few of the familiar names that suffered data breaches affecting millions of users last year.
What if your organization could avoid such headaches altogether? Who will spend time hacking your website when no user details are accessible once they get inside?
Welcome to Single Sign-On (SSO). If you’re using it, you know its power and benefits. If you have only heard of SSO but haven’t enabled it, the following information is for you.
Authentication Without SSO
Without SSO, each website or application maintains its own database of usernames and passwords. When a person logs in, the following things happen:
- The service runs a scan to determine if you have already been verified. If so, access to the site is then granted.
- If no authentication is discovered, the visitor is prompted to log in; the service then checks those credentials vs. what is on file in its own repository.
- Once logged in, the service ensures the identity verification info travels with the user as he or she navigates the system, meaning that this same user has effectively verified each time a new page within the application is visited.
Such authentication info travels with the user either in the form of cookies with session data or as tokens, which do not track that specific visit and are therefore faster to process.
The SSO Comparison
By contrast, SSO authentication relies on a trust relationship between different web services. Ever been asked to quickly register for a new website with the Google or Facebook account credentials you’re already logged in with? Bingo.
Facebook says you are who you say you are? Good enough for us – come on in!
If the new domain can’t determine you have been authenticated by another website – again, thanks to SSO – you will be sent to the login page for the appropriate SSO service, where you enter the credentials that will provide you access.
Just like in the example above, SSO allows authentication data to move with you throughout the new domain, continually verifying your identity with each new page you visit.
Best of all, SSO authentication data runs as tokens, not cookies, which is good for speed and performance.
Moving forward, SSO continues to authenticate with a solution such as Active Directory, allowing you to visit new domains tied to that single sign-on provider. Because the next website also verifies your credentials with SSO, you pass through the next website without having to login yet again.
Now let’s discuss SSO benefits and drawbacks.
Single Sign-On(SSO) Pros
For organizations of all kinds, Single Sign-on has many advantages. Among them:
1) It reduces password fatigue. Remembering just one password makes the lives of users or employees so much simpler. In truth, when challenged to use different passwords for different services, most people do not; the vast majority actually use the same password across multiple sites, creating an even bigger risk. The use of SSO usually results in unusually strong passwords since users only have to use one.
2) SSO streamlines the management of employee credentials. When employees turn over, in one shot departing users lose their login privileges across the entire organization.
3) Single Sign-on enhances identity protection. With SSO, organizations strengthen identity security within their teams through the use of multifactor authentication (MFA).
4) It boosts speed where it counts the most. In highly regulated industries like healthcare, defense and finance, or large organizations in which many people and departments demand rapid and unfettered access to the same applications, SSO can be extremely helpful.
5) SSO relieves stress on helpdesks. With far fewer employees calling in with password issues, IT teams can focus on critical work that saves the most time and money while also elevating security overall.
6) It reduces 3rd-party security risks. Connections between vendors, partners and customers present another threat surface, one which SSO can greatly diminish.
Despite all the benefits listed above, companies do need to keep in mind possible drawbacks when considering an SSO implementation:
1) Very strong passwords must be demanded and adhered to. If one set of SSO credentials is unveiled, it potentially leads to a cascade of breaches under that user’s umbrella.
2) If SSO goes down, access to all connected services halts. Here is one important reason to exercise great care in choosing an SSO solution. It must be extremely reliable and disaster plans must be created in order to maintain – or quickly recover – business functions should a disruption occur.
3) If your identity provider goes down, so does Single Sign-on. Because your ID vendor’s vulnerability becomes your vulnerability, too, choosing the right set of vendors is of the utmost importance.
4) If your identity provider gets breached, all linked systems could be open to attack. Here is where advance planning is so important. A possible single point of failure like this needs to be considered, avoided it possible, and a response plan should be created in advance. If the right identity provider with top-flight security practices is chosen in the first place, such planning should never have to be tested. Still, it is best to think through all possible vulnerabilities ahead of time.
5) An investment of time is required for proper SSO architecture and setup. Because each environment is different, wrinkles in even the most well-thought-out plans can develop. Pause, document, compare vs. best practices and structure the new system accordingly.
6) SSO is not the ideal solution for multi-user computers. If your team makes a habit of hot-desking, it can be both frustrating and unsafe for users to be constantly toggling on and off with one another.
7) Reduced sign-on (RSO) may be needed in some environments, leading to a greater cost. If a company needs to accommodate users with different levels of access, additional authentication servers may be required.
8) SSO based on social media credentials may not fit. If an employer blocks social media sites and government connections where censorship is involved, the problem here becomes clear.
Some SSO-linked sites actually share data with third-party entities. Understanding who’s who in this regard requires thorough homework – or the rock-solid advice of a trusted IT professional.
The playing field of leading providers is large and potentially overwhelming, including some familiar names you may be familiar with:
Okta, Citrix Workspace, Duo Security, OneLogin, LastPass, Keeper Password Manager, JumpCloud, Auth0
…to name just a few.
Cynexlink Can Help
There is no need for a mid-sized business to create its own system or to develop deep SSO expertise. Cynexlink’s team understands available offerings and can help identify the best choices for your company. Contact us to learn more!