Single Sign-On (SSO) is a convenient alternative to requiring users to log in multiple times. But it poses new security risks and pitfalls that must be considered. Let’s take a look at the top 7 major problems with SSOs.
A single sign-on tool (SSO system) enables users to access multiple applications that use the same identity provider without identifying themselves repeatedly. It is supposed to save time and increase user convenience.
Single sign-on is used in enterprise settings to unify identity management. This single sign-on type allows users to use one set of login credentials—that of SSO itself—to securely access multiple apps and services used in an organization. This means that the users do not have to remember multiple usernames and passwords for each service they use.
SSOs are a convenient alternative to requiring users to log in multiple times; it's an attractive option for organizations seeking to ease the burden of authentication on their end-users. It can also save money on administration costs and help provide support for mobile workers. But it poses new security risks and pitfalls that must be considered.
If you want to understand the working of SSOs, we have written a detailed post on it. Now, let’s look at the major disadvantages of using SSO.
Security Issues with SSO
Single Sign-On (SSO) is convenient for users, but it creates new security risks for the organization. Instead of requiring users to log in separately for each resource, an SSO system allows organizations to use a single username and password to access multiple resources.
Some major issues with SSO include
1. Losing Access to Your SSO Account Can Compromise all Related Accounts
SSO is a security mechanism that enables users to authenticate to enterprise applications using a single set of credentials. Once a user's identity has been authenticated with an SSO, their authentication is then passed on to each application they would like access to with no requirement for further interaction with the SSO provider.
Thus, if an intruder compromises an enterprise's SSO system, essentially gaining the ability to pretend to be any user within that enterprise, the resulting damage can be catastrophic due to an increase in the damage potential from each account.
Because SSOs are associated with critical resources, if a hacker attack targets an SSO provider, the entire user base will be compromised. If an end user’s SSO portal is compromised, then their access to those applications is also at risk.
2. Need For Extra Strong Passwords
An extra-strong password is mandatory because of the reliance on the master password and the risk involved with it. If a single SSO account is compromised, other accounts using the same authentication would be put in jeopardy.
Therefore to reduce the risk, extra-strong passwords are used. Most of today's password policies require user passwords to be ten or more characters long. The service providers require users to choose random-looking character strings.
Strong passwords are an online security standard and a critical requirement for corporate computing environments. Sufficient numbers of characters consisting of upper- and lowercase letters, digits, and other symbols increase the attack resistance of passwords.
But this complexity also means that the users forget the password often, which leads to other issues, such as password reset requests that increase workloads on IT teams. Another concern is that sometimes the user writes down the password and loses it.
3. When SSO is Offline, Users Lose Access to All the Associated Apps
When SSO is down, users are denied access to all applications, application servers, and network resources that depend on the same infrastructure. This is a compelling reason to choose an SSO solution with exceptional reliability, and contingency plans must be in place to deal with breakdowns.
Any application outage due to a hardware or software failure will also prevent users from logging in. Security clearances, transactions involving confidential or personal data, and reputation/branding are all at stake when your SSO occurrence rate is high and conditions such as scheduled maintenance periods or planned OS upgrades occur.
It is important that your SSO solution operates with 100% (almost) uptime and does not interrupt crucial business activities. Here we have listed the best SSO tools available in the market today, along with their pros and cons.
4. If Your Identity Provider Goes Down, So Does Your SSO
As we have explained how SSOs work, many SSOs rely on external identity providers for authentication.
When navigating an identity provider integration, it is important to know what caveats you're signing up for. Often, you may have to rely on older authentication methods if a problem occurs, such as your identity provider going down or experiencing an interruption.
If your identity provider goes down, your SSO goes down too. The provider’s vulnerability to any kind of interruption becomes your vulnerability. Once again, it is critical to select secure providers.
Thoroughly assess any provider you are considering before working with them. Consider their history their security measures, and look for industry reviews or recommendations that speak directly to their strengths and weaknesses.
5. Setting up SSO can Take Longer Than Expected
SSO implementation is painful. It can take longer than expected. Because each IT environment is unique and due to the customization requirements, additional steps can crop up.
Single Sign-On (SSO) systems, with their ability to log users into many services at once, can be a powerful solution for businesses. Unlike password management, it eliminates the need for password-based authentication at all. The technology relies on identity providers (IdPs) and service providers (SPs) to link their systems together.
For example, SSO requires identity providers and service providers to link their systems together, which may take time and effort.
Additionally, there are many standards in SSO: LDAP, CAS, SAML 1.0 and 2.0, and Auth 1.0 and 2.0. And what makes the issue worse is each vendor has a unique implementation creating incompatibility issues.
Not only an SSO implementation requires a lot of in-depth back-end configuration that can take up hours and resources, sometimes the expertise is not available too.
Compare this to Zluri, a SaaS management platform. It takes less than 30 minutes for the whole onboarding process.
6. For Multi-User Computers, SSOs can Cause Troubles
SSOs can cause problems on multi-user computers. What happens when one person is logged in, and another wants to use the machine?
Single Sign-On (SSO) is a service that allows employees to login once, receive a token, and use that token to access multiple applications throughout the day. What happens when an employee logs in and then forgets to log out?
Another person gets access to all the applications that the previous person was using. Therefore using SSO in multi-user computers could be risky.
7. Some SSOs Share User Information with Third-Parties
If your SSO provider is sharing data with third parties, that can lead to losing internal company information. This could further compromise your privacy. Therefore, these sites should be dealt with carefully. Hence, understanding privacy issues are important so that you can go for the right provider.
It's better to ask upfront what data they share with third parties and for what purpose while choosing an SSO provider and ensure it is there in the IT contact.
There are two other issues with SSO: First, it forces you to choose apps that can be connected with SSO, which are amongst the highest pricing tiers usually. Second, it poses issues while offboarding employees.
We have described both the issues in detail in this article: Deprovisioning: SSOs vs. Zluri; here's the summary:
Since it takes a huge amount of developers' resources in the form of time and effort to set up an app for SSO connection, they make it pricier to recover the costs. Because of this reason, SSOs are not prevalent too. On average, you can connect only 30% of your SaaS apps with SSOs.
The other issue is related to how the users are de-provisioned from apps during offboarding. Even after deprovisioning, some em-employees can still access the company apps. Furthermore, there is no way for IT teams to monitor this with SSOs.
Zluri, a SaaS management company, solves this problem. Zluri doesn't stop at SSO level authorization while deprovisioning. Since it connects with SaaS apps (the source of truth) directly, we always have accurate information on user access and usage of SaaS apps.
Further, we monitor users for which apps they have access to, what level of permissions they have for the apps, their sign-in logs, audit logs, and access logs.
You can filter the apps and users by risk level or threat level and block them if required directly from the Zluri. (see image)
The Solution to SSO Perils
It is apparent that SSO solutions for web apps bring both benefits and drawbacks to organizations. This is because SSO solutions are point solutions and are meant to be layered on top of existing directories to improve the connection between users and their web apps.
Due to the fundamental reasons for its creation, the drawbacks of SSO solutions tend to outweigh its benefits in some cases, which is especially true in small-to-medium-sized enterprises. In the modern IT environment, where users need to seamlessly connect to a wide variety of IT resources, SSO tools can hinder their flow.
To solve this problem, we suggest a real-time identity-confirmation process. This will allow continual authentication, preventing users from being locked out while also monitoring user changes to notify the administrator of any suspicious activity.