We just raised a $30M Series A: Read our story
2020-06-22T07:59:00Z

Is SSO safe?

60

SSO seems like a great way to simplify secure user authentication, but is it safe? If SSO is compromised, surely this poses a greater risk, as then all one's passwords can be accessed across all applications? 

ITCS user
Guest
812 Answers

author avatar
Top 5Consultant

Hi all!


I do not see SSO purely as authentication. SSO is rather the possibility to "re-use" an existing authentication to access additional resources.


The security of the SSO implementation depends on two things:


1. How secure is the initial authentication?


Password alone is (in most cases) not good enough, MFA is a must. The MFA options are not equal, the have different protection against attacks (Man-in-the-Middle, phishing, channel jacking). Passwordless is the future and what to strive for. Also, try to evaluate each sign-in using some sort of Conditional Access. If you secure the initial authentication, all other resources in the SSO realm also get the advantage of that.


2. How secure is the SSO implementation?


A clear text session string in the URL is the worst example I could think of. SAML 2.0 is OK and widely supported, but it is getting old. Oauth 2.0 is a more modern SSO method worth looking into, where you also can limit the scope of what resources the SSO app can access (a mail app can only see your mail, a calendar app can only see your calendar, etc).


Some of the other comments to this question contain things like "no chance of hacking" and "completely secure". I strongly disagree, nothing is ever totally secure. It's a matter of balancing Security, Usability and Low Price. You can have 2 of them :-)

2021-08-24T12:34:02Z
author avatarEvgeny Belenky
Community Manager

@Tom Aafloen I absolutely agree with you that there is no such a thing as 100% secure!

author avatar
Top 10Real User

SSO is one of the most secure ways to authenticate a user. However, as usual, it depends on how the deployment is made. 


The access to the SSO platform (Microsoft, OneLogin, Okta, ...) should be protected with a strong 2FA/MFA method, passwordless if possible.


On the other hand, multiple security policies may be developed. The duration of the sessions should be defined, very short for profiles like administrators. You can also customize the extra authentication requirements depending on the application that the user is accessing, ...


In conclusion, just choosing an authentication method you won't have the best protection. You should design the deployment to find the best security/efficiency balance, and always using a Zero Trust policy.

2021-08-24T10:26:28Z
author avatar
Top 10Real User

Hi, 


Single Sign-On for an application is the most secure way of transition compared to keying a username and password based on each app. 


Depending on the SSO provider one can opt to use 2FA on the account to login to the SSO homepage i.e, credentials to log in to SSO once successfully authenticated. 


Enable 2FA and only then allow the user to access the SSO page then onwards it will be one click to log in to the assigned application.


-Arun 

2021-08-25T10:23:20Z
author avatar
Top 5Real User

Like there is an old saying: "Prevention is better than cure". 


SSO, 2FA, MFA, and all other methods can add an extra layer of protection or prevent attacks that are getting sophisticated day by day. 

2021-08-24T06:08:34Z
author avatarEvgeny Belenky
Community Manager

@Hasan Zuberi ( HZ ) thanks for your answer and I agree with your statement about "prevention"!
However, possibly not all of the mentioned methods are equally secure and each one has the pros and cons. What do you think? Which one would you recommend to use and when?

author avatarHasan Zuberi ( HZ )
Top 5Real User

@Evgeny Belenky Dear, 
all shall depend on the customer environment. 
All comes down to the customer and choice or what they are looking at: what layer? what devices / Infrastructure? 
Likewise, you mentioned above that all have their pros and cons. It bottles down to customer expectation, preference and the budgeting at the end. And the way they have perceived the approach we have done towards them.   

author avatar
Top 10Real User

It's safe if you have good authentication for your session certificate. Good insights and advice below.

2021-08-25T17:49:37Z
author avatarEvgeny Belenky
Community Manager

@Jay Bretzmann did you mean an SSL/TLS certificate here (i.e., the transport level security)? 

author avatar
Top 5LeaderboardReal User

Firstly let me assure you once you have SSO integration in place using good tool then there is no chance of hacking. If you still think it can be you can go for the MFA(Multi Factor Authentication) where each user will be asked to provide second authentication(ike OTP,Finger Print).


MFA will make sure that authenticated user will only have access.

2020-06-23T04:28:45Z
author avatar
Top 10User

Yes, it is completely secure, in the new identity unification tools you must add a key component, multi-factor authentication (MFA), so you can confirm that the authenticated user using the SSO credentials is not being impersonated or that their credentials are compromised, applies to personnel who manage platforms such as those who have access to sensitive information in the organization. Microsoft counts, for example, with Azure AD Premium, allows SSO, MFA, but is also supported over conditional authentication (CA).

2020-06-22T22:11:40Z
author avatar
User

SSO is a good concept BUT the implementation is fundamentally flawed that’s why it is not secure.  Fortunately, that is very easy to fix and the solution on how to fix it it available now.

2020-06-22T21:09:33Z
Find out what your peers are saying about Microsoft, Okta, SailPoint and others in Identity and Access Management as a Service (IDaaS) (IAMaaS). Updated: October 2021.
543,424 professionals have used our research since 2012.