2020-06-22T07:59:00Z

Is SSO safe?

Rony_Sklar - PeerSpot reviewer
  • 8
  • 533
PeerSpot user
8

8 Answers

TA
Consultant
2021-08-24T12:34:02Z
Aug 24, 2021

Hi all!


I do not see SSO purely as authentication. SSO is rather the possibility to "re-use" an existing authentication to access additional resources.


The security of the SSO implementation depends on two things:


1. How secure is the initial authentication?


Password alone is (in most cases) not good enough, MFA is a must. The MFA options are not equal, the have different protection against attacks (Man-in-the-Middle, phishing, channel jacking). Passwordless is the future and what to strive for. Also, try to evaluate each sign-in using some sort of Conditional Access. If you secure the initial authentication, all other resources in the SSO realm also get the advantage of that.


2. How secure is the SSO implementation?


A clear text session string in the URL is the worst example I could think of. SAML 2.0 is OK and widely supported, but it is getting old. Oauth 2.0 is a more modern SSO method worth looking into, where you also can limit the scope of what resources the SSO app can access (a mail app can only see your mail, a calendar app can only see your calendar, etc).


Some of the other comments to this question contain things like "no chance of hacking" and "completely secure". I strongly disagree, nothing is ever totally secure. It's a matter of balancing Security, Usability and Low Price. You can have 2 of them :-)

EB
Community Manager
Aug 25, 2021

@Tom Aafloen I absolutely agree with you that there is no such a thing as 100% secure!

PeerSpot user
Search for a product comparison in Identity and Access Management as a Service (IDaaS) (IAMaaS)
JP
Real User
2021-08-24T10:26:28Z
Aug 24, 2021

SSO is one of the most secure ways to authenticate a user. However, as usual, it depends on how the deployment is made. 


The access to the SSO platform (Microsoft, OneLogin, Okta, ...) should be protected with a strong 2FA/MFA method, passwordless if possible.


On the other hand, multiple security policies may be developed. The duration of the sessions should be defined, very short for profiles like administrators. You can also customize the extra authentication requirements depending on the application that the user is accessing, ...


In conclusion, just choosing an authentication method you won't have the best protection. You should design the deployment to find the best security/efficiency balance, and always using a Zero Trust policy.

AV
Real User
2021-08-25T10:23:20Z
Aug 25, 2021

Hi, 


Single Sign-On for an application is the most secure way of transition compared to keying a username and password based on each app. 


Depending on the SSO provider one can opt to use 2FA on the account to login to the SSO homepage i.e, credentials to log in to SSO once successfully authenticated. 


Enable 2FA and only then allow the user to access the SSO page then onwards it will be one click to log in to the assigned application.


-Arun 

Hasan Zuberi ( HZ ) - PeerSpot reviewer
Real User
2021-08-24T06:08:34Z
Aug 24, 2021

Like there is an old saying: "Prevention is better than cure". 


SSO, 2FA, MFA, and all other methods can add an extra layer of protection or prevent attacks that are getting sophisticated day by day. 

Hasan Zuberi ( HZ ) - PeerSpot reviewer
Real User
Aug 24, 2021

@Evgeny Belenky Dear, 
all shall depend on the customer environment. 
All comes down to the customer and choice or what they are looking at: what layer? what devices / Infrastructure? 
Likewise, you mentioned above that all have their pros and cons. It bottles down to customer expectation, preference and the budgeting at the end. And the way they have perceived the approach we have done towards them.   

PeerSpot user
JB
Vendor
2021-08-25T17:49:37Z
Aug 25, 2021

It's safe if you have good authentication for your session certificate. Good insights and advice below.

EB
Community Manager
Aug 26, 2021

@Jay Bretzmann did you mean an SSL/TLS certificate here (i.e., the transport level security)? 

PeerSpot user
AA
Real User
2020-06-23T04:28:45Z
Jun 23, 2020

Firstly let me assure you once you have SSO integration in place using good tool then there is no chance of hacking. If you still think it can be you can go for the MFA(Multi Factor Authentication) where each user will be asked to provide second authentication(ike OTP,Finger Print).


MFA will make sure that authenticated user will only have access.

Find out what your peers are saying about Microsoft, Okta, Google and others in Identity and Access Management as a Service (IDaaS) (IAMaaS). Updated: March 2024.
763,955 professionals have used our research since 2012.
JR
User
2020-06-22T22:11:40Z
Jun 22, 2020

Yes, it is completely secure, in the new identity unification tools you must add a key component, multi-factor authentication (MFA), so you can confirm that the authenticated user using the SSO credentials is not being impersonated or that their credentials are compromised, applies to personnel who manage platforms such as those who have access to sensitive information in the organization. Microsoft counts, for example, with Azure AD Premium, allows SSO, MFA, but is also supported over conditional authentication (CA).

AN
User
2020-06-22T21:09:33Z
Jun 22, 2020

SSO is a good concept BUT the implementation is fundamentally flawed that’s why it is not secure.  Fortunately, that is very easy to fix and the solution on how to fix it it available now.

Identity and Access Management as a Service (IDaaS) (IAMaaS)
Identity and access management (IAM) is the process of managing individual network identities (this includes devices as well as users) to determine access privileges for cloud and on-premise applications.
Download Identity and Access Management as a Service (IDaaS) (IAMaaS) ReportRead more

Identity and Access Management as a Service (IDaaS) (IAMaaS) experts

Prateek Agarwal - PeerSpot reviewer
Nagendra Nekkala. - PeerSpot reviewer
Sachin Vinay - PeerSpot reviewer
Hazel Zuñiga Rojas - PeerSpot reviewer
VamsiMohan - PeerSpot reviewer
BENDER BENEDICT - PeerSpot reviewer
Karthick Selvam - PeerSpot reviewer
SS