Since its invention in 1960, the computer password remains by far the most widely used method of authentication. Yet perhaps unsurprisingly given the age of the technology, passwords are as problematic as they are common, being involved in over half of data breaches according to Verizon.
With the average enterprise using over 250 cloud apps, the prospect of employees remembering unique, strong passwords for each of them is simply impractical, even ignoring the potentially even greater number of personal passwords users must also memorise. As a result, users tend to resort to several practices to deal with the problem:
Even training employees on cybersecurity does little to change user behaviour. Research carried out by My1Login found that even among employees who have received cybersecurity training, 85% still reused passwords, and training had no effect at all on users choosing to write their passwords down.
Fundamentally, the problem is due to the fact that end-users are forced to adopt insecure practices, such as reusing and writing down passwords, because of the impracticality of remembering so many passwords. As organisations transform to the cloud, the issue only worsens, as there are an increasingly large number of usernames and passwords to remember and manage. With humans as the central limiting factor, a technological solution is required.
While Single Sign-On (SSO) can be viewed as a tool that improves user experience and productivity, its most important benefits lie in security. SSO can replace passwords with secure tokens using open security standards such as SAML and OIDC, or some can incorporate Enterprise Password Management to automatically generate strong, unique passwords which are undisclosed to users, and automatically enter them into login forms.
This prevents many of the most common methods attackers use to gain unauthorised access to applications protected by password-based authentication. Passwords are typically compromised in one of three ways -
SSO addresses the vulnerabilities of passwords and prevents these three methods from being effectively deployed by attackers. Clearly, when passwords have been replaced altogether by passwordless authentication via secure tokens, these forms of attack are no longer possible. Where passwords do continue to be used, due to limitations of the application, and Enterprise Password Management is used to authenticate users, the risk from these attacks is also mitigated. The passwords generated from Enterprise Password Management solutions are typically complex and unique, preventing brute force attacks and the risk of credential stuffing from reused passwords. Since the passwords can also be undisclosed to end-users, employees also cannot be phished of passwords if they are unaware of what they are.
Within the SSO solution, whether passwords or secure tokens are used to authenticate, the end-user experience is the same. After authenticating with the corporate directory, employees need only access an application to be automatically authenticated – no more time spent managing, remembering or entering passwords to gain access. In addition, some SSO solutions can automatically discover new apps being used by employees, allowing administrators to easily include them within the SSO solution, mitigating security risks from Shadow IT
By taking the responsibility of creating, managing and entering passwords away from employees, the human factor is ultimately removed as a limitation and a strong password policy can be effectively enforced, or passwords removed altogether, eliminating a number of the most common attack vectors available to cybercriminals.
Find out more on how SSO can protect your organisation against data breaches.