SSO seems like a great way to simplify secure user authentication, but is it safe? If SSO is compromised, surely this poses a greater risk, as then all one's passwords can be accessed across all applications?
I do not see SSO purely as authentication. SSO is rather the possibility to "re-use" an existing authentication to access additional resources.
The security of the SSO implementation depends on two things:
1. How secure is the initial authentication?
Password alone is (in most cases) not good enough, MFA is a must. The MFA options are not equal, the have different protection against attacks (Man-in-the-Middle, phishing, channel jacking). Passwordless is the future and what to strive for. Also, try to evaluate each sign-in using some sort of Conditional Access. If you secure the initial authentication, all other resources in the SSO realm also get the advantage of that.
2. How secure is the SSO implementation?
A clear text session string in the URL is the worst example I could think of. SAML 2.0 is OK and widely supported, but it is getting old. Oauth 2.0 is a more modern SSO method worth looking into, where you also can limit the scope of what resources the SSO app can access (a mail app can only see your mail, a calendar app can only see your calendar, etc).
Some of the other comments to this question contain things like "no chance of hacking" and "completely secure". I strongly disagree, nothing is ever totally secure. It's a matter of balancing Security, Usability and Low Price. You can have 2 of them :-)
SSO is one of the most secure ways to authenticate a user. However, as usual, it depends on how the deployment is made.
The access to the SSO platform (Microsoft, OneLogin, Okta, ...) should be protected with a strong 2FA/MFA method, passwordless if possible.
On the other hand, multiple security policies may be developed. The duration of the sessions should be defined, very short for profiles like administrators. You can also customize the extra authentication requirements depending on the application that the user is accessing, ...
In conclusion, just choosing an authentication method you won't have the best protection. You should design the deployment to find the best security/efficiency balance, and always using a Zero Trust policy.
Single Sign-On for an application is the most secure way of transition compared to keying a username and password based on each app.
Depending on the SSO provider one can opt to use 2FA on the account to login to the SSO homepage i.e, credentials to log in to SSO once successfully authenticated.
Enable 2FA and only then allow the user to access the SSO page then onwards it will be one click to log in to the assigned application.
Product Manager Cyber Security at a tech services company with 11-50 employees
Real User
Aug 24, 2021
@Evgeny Belenky Dear,
all shall depend on the customer environment.
All comes down to the customer and choice or what they are looking at: what layer? what devices / Infrastructure?
Likewise, you mentioned above that all have their pros and cons. It bottles down to customer expectation, preference and the budgeting at the end. And the way they have perceived the approach we have done towards them.
Firstly let me assure you once you have SSO integration in place using good tool then there is no chance of hacking. If you still think it can be you can go for the MFA(Multi Factor Authentication) where each user will be asked to provide second authentication(ike OTP,Finger Print).
MFA will make sure that authenticated user will only have access.
Find out what your peers are saying about Microsoft, Okta, Google and others in Identity and Access Management as a Service (IDaaS) (IAMaaS). Updated: April 2024.
Yes, it is completely secure, in the new identity unification tools you must add a key component, multi-factor authentication (MFA), so you can confirm that the authenticated user using the SSO credentials is not being impersonated or that their credentials are compromised, applies to personnel who manage platforms such as those who have access to sensitive information in the organization. Microsoft counts, for example, with Azure AD Premium, allows SSO, MFA, but is also supported over conditional authentication (CA).
SSO is a good concept BUT the implementation is fundamentally flawed that’s why it is not secure. Fortunately, that is very easy to fix and the solution on how to fix it it available now.
Identity and access management (IAM) is the process of managing individual network identities (this includes devices as well as users) to determine access privileges for cloud and on-premise applications.
Hi all!
I do not see SSO purely as authentication. SSO is rather the possibility to "re-use" an existing authentication to access additional resources.
The security of the SSO implementation depends on two things:
1. How secure is the initial authentication?
Password alone is (in most cases) not good enough, MFA is a must. The MFA options are not equal, the have different protection against attacks (Man-in-the-Middle, phishing, channel jacking). Passwordless is the future and what to strive for. Also, try to evaluate each sign-in using some sort of Conditional Access. If you secure the initial authentication, all other resources in the SSO realm also get the advantage of that.
2. How secure is the SSO implementation?
A clear text session string in the URL is the worst example I could think of. SAML 2.0 is OK and widely supported, but it is getting old. Oauth 2.0 is a more modern SSO method worth looking into, where you also can limit the scope of what resources the SSO app can access (a mail app can only see your mail, a calendar app can only see your calendar, etc).
Some of the other comments to this question contain things like "no chance of hacking" and "completely secure". I strongly disagree, nothing is ever totally secure. It's a matter of balancing Security, Usability and Low Price. You can have 2 of them :-)
@Tom Aafloen I absolutely agree with you that there is no such a thing as 100% secure!
SSO is one of the most secure ways to authenticate a user. However, as usual, it depends on how the deployment is made.
The access to the SSO platform (Microsoft, OneLogin, Okta, ...) should be protected with a strong 2FA/MFA method, passwordless if possible.
On the other hand, multiple security policies may be developed. The duration of the sessions should be defined, very short for profiles like administrators. You can also customize the extra authentication requirements depending on the application that the user is accessing, ...
In conclusion, just choosing an authentication method you won't have the best protection. You should design the deployment to find the best security/efficiency balance, and always using a Zero Trust policy.
Hi,
Single Sign-On for an application is the most secure way of transition compared to keying a username and password based on each app.
Depending on the SSO provider one can opt to use 2FA on the account to login to the SSO homepage i.e, credentials to log in to SSO once successfully authenticated.
Enable 2FA and only then allow the user to access the SSO page then onwards it will be one click to log in to the assigned application.
-Arun
Like there is an old saying: "Prevention is better than cure".
SSO, 2FA, MFA, and all other methods can add an extra layer of protection or prevent attacks that are getting sophisticated day by day.
@Evgeny Belenky Dear,
all shall depend on the customer environment.
All comes down to the customer and choice or what they are looking at: what layer? what devices / Infrastructure?
Likewise, you mentioned above that all have their pros and cons. It bottles down to customer expectation, preference and the budgeting at the end. And the way they have perceived the approach we have done towards them.
It's safe if you have good authentication for your session certificate. Good insights and advice below.
@Jay Bretzmann did you mean an SSL/TLS certificate here (i.e., the transport level security)?
Firstly let me assure you once you have SSO integration in place using good tool then there is no chance of hacking. If you still think it can be you can go for the MFA(Multi Factor Authentication) where each user will be asked to provide second authentication(ike OTP,Finger Print).
MFA will make sure that authenticated user will only have access.
Yes, it is completely secure, in the new identity unification tools you must add a key component, multi-factor authentication (MFA), so you can confirm that the authenticated user using the SSO credentials is not being impersonated or that their credentials are compromised, applies to personnel who manage platforms such as those who have access to sensitive information in the organization. Microsoft counts, for example, with Azure AD Premium, allows SSO, MFA, but is also supported over conditional authentication (CA).
SSO is a good concept BUT the implementation is fundamentally flawed that’s why it is not secure. Fortunately, that is very easy to fix and the solution on how to fix it it available now.