Single Sign-On (SSO): Pros & Cons


Single Sign on

Introduction to Single Sign-on:

 

MyFitnessPal had 151 million usernames and passwords stolen. For a third-party Facebook app, it was 540 million.

And First American Financial Corp., the largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals.

These were just a few of the largest data breaches from last year alone!

What if your organization could avoid such headaches altogether? What if your business managing all of its user logins through a leading SSO system or customized solution?

Who is going to take the time to hack your website when none of your user details is accessible once they get inside?

Welcome to Single Sign-On (SSO). If you’re using it, you know its power and benefits. If you have only heard of SSO but haven’t enabled it, the following information is for you.

Authentication Without SSO

Without SSO, each website or application maintains its own database of usernames and passwords. When a person logs in, the following things happen:

The service runs a scan to determine if you have already been verified. If so, access to the site is then granted.

If no authentication is discovered, the visitor is prompted to log in; the service then checks those credentials vs. what is on file in its own repository.

Once the user has logged in, the service ensures the identity verification info travels with the user he or she navigates the system, meaning that this same user has effectively verified each time a new page within the application is visited.

Such authentication info travels with the user either in the form of cookies with session data or as tokens, which do not track that specific visit and are therefore faster to process.

The SSO Comparison

By contrast to the scenario outlined above, SSO authentication relies on a trust relationship between different web services. Ever been asked to quickly register for a new website with the Google or Facebook account credentials you’re already logged in with? Bingo.

In that instance, the service allowing you to sign-in with another solution’s credentials is simply verifying your identity through the use of a single sign-on. Facebook says you are who you say you are? Good enough for us – come on in!

If the new domain can’t determine you have been authenticated by another website – again, thanks to SSO – you will be sent to the login page for the appropriate SSO service, where you enter the credentials that will provide you access.

Just like in the example above, SSO allows authentication data to move with you throughout the new domain, continually verifying your identity with each new page you visit.

Best of all, SSO authentication data runs as tokens, not cookies, which is good for speed and performance.

Moving forward, SSO continues to authenticate with a solution such as Active Directory, allowing you to visit new domains tied to that single sign-on provider. Because the next website also verifies your credentials with SSO, you pass through the next website without having to login yet again. Good stuff.

SSO Under the Hood

Let’s now dig even deeper into how SSO functions. As we have already learned, when a visitor logs into a new domain, that website or application provider will validate the user on its own. That process goes like this:

  1. As a visitor, you land on a page within, let’s say, xyz123.com which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.

  2. If you’re not already logged in, it’s time to plug in your user/password combo on the login page.

  3. You fill in your credentials, xyz123.com runs those credentials against the data in its own tables. Depending on what it finds, the service either lifts the velvet rope or the bouncer says you can’t come in.
  4. If you can log in, xyz123.com will its method of tracking your visit. This could originate on the server or it might attach to you as a token.

Again, however you decide to navigate that site or service, that domain keeps checking to ensure that your credentials are valid.

That same process when powered by SSO, however, would go like this:

  1. As a visitor, you land on a page within, let’s say, xyz123.com which tries to authenticate your login status. If yes, off you go to the desired destination—your Yahoo email inbox, for example.

  2.  Not logged in yet? No problem! That new site, xyz123.com, then gives you choices for authentication through another app (Google, Amazon, Facebook, etc.). Click your favorite service and log into the new web app with those pre-existing credentials (let’s say Facebook in this case).

  3.  As far as authentication, Facebook does the authentication for that new website. Once Facebook says you are who you claim to be – and checks to ensure that xyz123.com is legitimate, both sites agree you’re ready to roll.The Facebook password database issues a token that becomes your passport to and through xyz123.com.

  4.  By accepting that token from Facebook, xyz123.com verifies the user’s identity with more ease and confidence. Further, it can now associate the visitor with all other data that’s known about that person, things like preferences, history, shopping cart, etc.

Now let’s discuss the Single Sign-on  Pros and Cons

Single Sign-On(SSO) Pros

For organizations of all kinds, Single Sign-on has many advantages. Among them:

  • It cuts down on password fatigue

    Remembering just one password makes the lives of users or employees so much simpler. In truth, when challenged to use different passwords for different services, most people do not; the vast majority actually use the same password across multiple sites, creating an even bigger risk.

    And as a side benefit, the use of SSO usually results in unusually strong passwords since they only have to use just one.

  • Streamline the management of employee credentials

    When employees turn over, the use of SSO reduces both IT effort and the chances of mistakes. In one shot, departing users lose their login privileges across the entire organization.

  • Single Sign-on enhances identity protection

    With SSO, organizations strengthen identity security within their teams through the use of multifactor authentication (MFA).

  • It boosts speed where counts the most

    In highly regulated industries like healthcare, defence and finance, or large organizations in which many people and departments demand rapid and unfettered access to the same applications, SSO can be extremely helpful.

    It is in environments precisely like these where malware brought on by compromised credentials can literally mean the difference between life and death.

  • SSO relieves stress on helpdesks

    With far fewer employees calling in with password issues, IT teams can focus on critical work that saves the most time and money while also elevating security overall.

  • It reduces 3rd-party security risks.

    Connections between vendors, partners and customers present another threat surface, one which SSO can greatly diminish.

SSO Cons

Despite all the benefits listed above, companies do need to keep in mind possible drawbacks when considering an SSO implementation:

  • Very strong passwords must be demanded and adhered to. If one set of SSO credentials is unveiled, it potentially leads to a cascade of breaches under that user’s umbrella.

  • If SSO goes down, access to all connected services halts. Here is one important reason to exercise great care in choosing an SSO solution. It must be extremely reliable, and plans should be crafted for immediately dealing with any cracks which might present themselves.

  • If your identity provider goes down, so does Single Sign-on. Because your ID vendor’s vulnerability becomes your vulnerability, too, choosing the right set of vendors is of the utmost importance.

  • If your identity provider gets breached, all linked systems could be open to attack. Here is where advance planning is so important.A possible single point of failure like this needs to be considered, avoided it possible, and a response plan should be created in advance.

    If the right identity provider with top-flight security practices is chosen in the first, place, such planning should never have to be tested. Still, it is best to think through all possible vulnerabilities ahead of time.

  • An investment of time is required for proper SSO architecture and setup. Because each environment is different, wrinkles in even the most well-thought-out plans can develop. Pause, document, compare vs. best practices and structure of the new system accordingly.

  • SSO is not the ideal solution for multi-user computers. If your team makes a habit of hot-desking, it can be both frustrating and unsafe for users to be constantly toggling on and off with one another.

  • Reduced sign-on (RSO) may be needed in some environments, leading to a greater cost. If a company needs to accommodate users with different levels of access, additional authentication servers may be required.

  • SSO based on social media credentials may not fit. If an employer blocks social media sites and government connections where censorship is involved, the problem here becomes clear.

  • Some SSO-linked sites actually share data with third-party entities. Understanding who’s who in this regard requires thorough homework – or the rock-solid advice of a trusted IT professional.

Providers aplenty

The playing field of leading providers is large and potentially overwhelming, including some familiar names you may be familiar with:

  • Okta
  • Citrix Workspace
  • Duo Security
  • OneLogin
  • LastPass
  • Keeper Password Manager
  • JumpCloud
  • Auth0

…to name just a few.

Cynexlink Can Help

There is no reason for any organization to create its own system or to develop deep SSO expertise. Cynexlink’s team understands available offerings and can help identify the best choices for your company. Contact us to learn more!

Post a comment