Recently, Identity Automation CEO, James Litton was featured in a USA Today article that posed the question: Is Single Sign-On (SSO) the answer to our password-related struggles?
The article looks at the examples of Google, Apple, and Facebook rolling out their own SSO features and explores Google product manager Mark Risher’s perspective that focus shouldn’t be put on making passwords more challenging, but rather, we should be reducing the overall number of passwords we use. Risher argues that increasing password strength doesn’t impact an organization’s ability to mitigate security vulnerabilities, such as phishing attacks, nor does it prevent password reuse.
Leveraging these points, the article offers up SSO as a potential solution to our password woes. But is it really that simple? Sure, SSO is convenient, but is it really the precursor to a passwordless future?
Although the article does offer James’s view that if you have to use a password, many-character passwords and password managers are the way to go, that isn’t the full story. There’s a lot more to this discussion on passwords, SSO, and cybersecurity. So, here’s our take.
Single Sign-On (SSO) is the practice of using a session- and user-authentication service that permits an end user to enter one set of login credentials (such as name and password) in order to access multiple applications. A user simply logs into their SSO portal and then they can seamlessly access all applications without having to authenticate again (during a single session, such a normal work day).
It’s true that SSO portals help organizations address important access challenges, while offering clear productivity and user experience benefits. Many organizations see the effects of these benefits and make the assumption it is meeting all of their identity and access needs.
However, this simply isn’t the case. James cautions against relying on SSO as a security measure: “I do not believe an SSO by itself improves security posture,” says James, “SSO is a convenience play over a security play.”
By boiling all applications down to one username and password, security strength is only as strong as that one set of credentials. "If it's a horrible password, your security situation hasn't improved," explains James.
Furthermore, if a hacker gets a hold of a user’s SSO login credentials, they can access all of the user’s resources. This is especially dangerous if that user has access to privileged information or mission-critical data.
For years, users have been asked to create and remember an increasing number of passwords—each bound by increasingly complex policies and rules. But has all this time you’ve spent trying to create tougher-to-crack passwords really been a waste, as the article makes the case?
Not really.
While it is true that some companies may be a little too heavy-handed in regards to password management, and overly stringent password policies don’t necessarily increase security, the reality is that passwords aren’t completely going away any time soon. This means that users need to do everything they can to secure the passwords they've got—especially their SSO password.
“I recommend using different IDs and passwords for each account, and making the length of passwords as long as possible (as many as 32 to 64 characters!), as this is significantly more difficult to break than 6-7 character passwords,” asserts James.
In other words, if users have to utilize passwords, longer, simpler ones that vary by application are better than short, complex passwords, as they take more time and resources to crack. "It's more difficult for a bad guy to pick words out of a dictionary for a hack attack if I go long," explains James.
Even better: James recommends storing passwords in a password manager that organizes and secures your many passwords for you, so users can have long, unique passwords without needing to remember each one.
Really long passwords and password managers may be the safer bet, but in reality, even the best passwords aren’t enough to keep an organization safe. While brute force attacks that “crack” a user’s password do still occur, far more attacks simply trick a user into giving up their credentials, such as phishing attacks, malware, and keylogging.
To prevent unauthorized access due to stolen credentials, organizations should implement multi-factor authentication (MFA). MFA prevents unauthorized access by adding a second or third verification method in addition to username/password. So, even if a user’s password is compromised, the attacker still wouldn’t have the other authentication factors.
Many of today’s MFA solutions offer the flexibility to increase security without negatively affecting usability. These solutions can manage multiple forms of authentication simultaneously and can assign different forms of authentication to end users for different access scenarios.
You can also tailor the level of authentication required based on the risk level a user presents with risk-based authentication. So, more stringent authentication can be required for high risk scenarios, while users in low risk situations don’t have to be overly burdened with additional steps when logging in.
For organizations with SSO portals, this allows end users to still be able to benefit from the productivity and efficiency benefits associated with SSO, while overcoming the associated security limitations. When logging into an SSO portal, MFA augments password strength by adding additional layers of protection or can even be used to replace passwords with different authentication methods altogether. Additionally, if a user has access to a sensitive system, MFA can be applied to that specific system for added security.
Is all hope for a passwordless future lost? Not at all! Implementing solutions, such as MFA along with SSO can help organizations find the right balance between maintaining usability and convenience for users and overall security. Furthermore, MFA can be tailored to an organization's unique needs and security requirements.
Although today’s world may not be completely ready to go passwordless, MFA solutions are moving in that direction as organizations look for sophisticated authentication methods that enhance security without burdening users. While an individual may not be able to eliminate all the passwords in their life, an organization can implement alternative authentication methods, such as push notifications, OTP soft tokens, fingerprint biometrics, and RFID cards in place of traditional passwords.