Lesson 6
6 min read

Is SSO Secure?

What are the risks of Single Sign-On and how to avoid them

Carlo Belloni
Project Manager and SEO Specialist at Kisi
is sso secure

Intro

In this article we analyse if Single Sign-On is a secure solution and what are the risks that it brings to the table. Also, we will give you a checklist for how to avoid these risks.

Is Single Sign-On Secure? An Overview

Gone are the days when the majority of computer operators and people alike maintained one user ID and password. Single Sign-on (SSO) has been a standard feature for many businesses over the past few years. Its appeal has been found in its simplicity and elevated efficiency. However, an important question to consider is: “is SSO secure?”

Although the main features of SSO include improved IT monitoring and management, and security control, the technology itself is primarily designed to improve productivity, often at the cost of security. Naturally, with the introduction of SSO, there are some implied security risks.

What are the Security Risks in SSO?

SSO, in general, is more concerned with access provision than restriction. During a time of widespread malware-based attacks, unrestrained access might not be the most ideal goal. Despite the benefits with its use, some of the risks associated with SSO are:

1. Instant Extensive Access

In recent years, login credentials have been a major target point for external attackers. If an attacker gains initial access to an authenticated SSO account, they are also automatically given access to all applications, data sets, environments, and systems linked to the specific account. 

External attacks using malware to pursue control over an endpoint would also have immediate post-login access to all systems connected via SSO.

2. Little Control once Access is Granted

If a user successfully logs in via SSO and falls prey to a phishing attack, there is not always a simple solution. The attacker gets access to all the endpoints of the external applications within the cloud that the user is provisioned for. 

If the attack is detected, the user account can be disabled. However, the user may still remain logged in. This could allow the attacker to stay logged on with access to the linked application, depending on the security of the application and the SSO model installed.

3. Weak Adherence to the Principle of Least Privilege

The principle of least privilege follows the notion that users should only be granted access to data, applications, and systems that are essential to their work. To control this, obtaining elevated levels of access require additional sign-ons.

This is contrary to SSO systems that give access to users through a single set of credentials. 

How do you Reduce the Risks of SSO?

Despite the risks associated with SSO, the benefits of increased productivity and reduced support costs appeal to businesses. The challenge is how to provide the streamlined benefits of SSO while maintaining adequate levels of security. 

As with any challenge, there is always a way to manage or mitigate problem areas to minimize the risk involved. Specifically for SSO, this means identifying specific loopholes and implementing measures that increase security while not compromising the convenience of the solution. 

1. Introduction of Two-Factor Authentication 

The Two-Factor Authentication system addresses password vulnerabilities by placing an additional layer of security to Active Directory accounts with a compromised password. In addition, two-factor authentication prevents data breaches before any damage occurs, it protects all users, and nullifies compromised credentials. 

It can also be customized by users and organizations, and used together with logon management.

2. Using Logon Management to secure the Active Directory Logon

Introducing a Logon Management solution provides additional security measures for the initial Windows login. 

Some of these measures include the restriction of endpoints from which a user can log in, logon frequency limitations, restrictions according to the type of session, monitoring unusual login activity, managerial approval, and forced log-offs in case of a detected risk.

3. Improvement of Least Privilege with Privileged Session Management 

Privileged Session Management (PSM) is the middle ground between the Least Privilege principle and SSO.

PSM allows users to request access without the need for a password. The access request controls the systems specific users can access, can require peer/manager approval, can notify IT, and keep a track of the session activity.

4. Security Policy-Driven SSO

For organizations with extensive cloud management, introducing AD controls help establish a secure SSO foundation. To ensure adequate security, this must be done in conjunction with other measures including least privilege, multi-factor authentication, modern authentication protocols, limited device access, and frequent password changes. 

Starting a new project?
Physical Security Technology Guide
Join over 10,000 workplace leaders who use our guide to make more informed decisions about their physical security.
Kisi Twitter
Kisi Instagram
Kisi Facebook