Passwords are the most common cause of data breaches, with Verizon’s 2022 Data Breach Investigation Report finding that 70% of all successful cyberattacks leveraged credentials in some way, with 82% of attacks being caused by human error.
Malicious actors exploit passwords in 3 main ways: phishing, credential stuffing, and brute force attacks. Despite cybersecurity training raising awareness of these attack vectors, breaches are still happening. Users have the impossible task of remembering secure, unique passwords for dozens of applications at work and in their personal lives. As a result, we still see the insecure practices of users reusing passwords, storing them in spreadsheets, or writing them down on post-it notes.
In addition to the risks of data breaches, employees and IT departments waste considerable time logging in to applications and resetting passwords every day – up to 40% of IT helpdesk calls are for resets alone.
In response to these challenges, organisations are typically deploying solutions that will offer security for the business whilst supporting users in their day to day roles. Here we look at the role SAML Authentication, Enterprise Password Managers, and Identity Management Solutions play in securing enterprises, providing Single Sign-On (SSO) capabilities and reducing the risk of breaches.
What is SAML?
Security Assertion Markup Language (SAML) allows SSO authentication to take place without the use of a password. SAML is an open security standard which facilitates the transmission of authentication and authorisation data between trusted parties.
SAML works by a flow between the user, the Service Provider (SP), and an Identity Provider (IdP) which verifies the identity of the user.
Example:
- Salesforce is the SP
- My1Login is the IdP
In this example, the user is looking to access Salesforce. Provided they have permission to access the application, then, when the user attempts to access Salesforce, My1Login will send a SAML assertion confirming the identity of the user and authorising their access.
What are the benefits of SAML?
Given the increasing desire to move away from password-based authentication, one of the obvious benefits of SAML is it removes the reliance on passwords for access to web applications. Since the SAML assertions sent between the IdP and the SP are only valid for individual sessions, the opportunity for attackers to access the application has a limited window; unlike passwords which will remain valid until they are changed or the data breach is detected.
The ease of deployment is a significant benefit of SAML authentication. For applications which are compatible, the process of provisioning users and setting up a SAML connection is relatively straightforward. Administrators can download certificates and metadata directly from the IdP, before creating a SAML connector in compatible applications to easily onboard users.
There is also the added benefit of improved user experience; users can select SAML applications and be logged in seamlessly. This also means that there are no passwords to reset – easing the burden on the organisation’s service desk.
Whilst SAML authentication may be the best route to removing our reliance on passwords, many applications do not yet integrate with SAML authentication and so it is not always possible to use it.
What is an Enterprise Password Manager?
Enterprise Password Managers help provide SSO for applications that are not SAML compatible and enable enterprises to enforce strong password policies on external cloud applications by creating unique, high-entropy passwords for the user accounts on these applications.
User friction is eliminated as the user simply launches the application or navigates to the application’s URL as usual and the Enterprise Password Manager can be automated to provide SSO and authenticate the user with the application. The user does not need to know or manage the password.
What are the benefits of an Enterprise Password Manager?
Enterprise Password Managers embrace the reality that an extensive array of applications in use across the enterprise still rely on passwords and to mitigate the risks these create by providing a system to manage these rather than leave it to users. Where the password manager is able to generate unique, high-entropy passwords and update these on external applications, this significantly mitigates the enterprise risks from reusing passwords and creates passwords that are almost impossible to break with brute force attacks. For added security benefits, the passwords can also be hidden from users. In addition, since passwords can be undisclosed to the user and the Identity Management solution would have no trust relationship with spoofed sites, it is impossible for credentials to be phished.
User experience is also an important consideration and benefit. Stored identities within the Identity Management solution will be entered into the login form automatically when the user accesses the app, giving a consistent, end-user SSO experience to using SAML. Users also no longer need to manage corporate passwords eliminating the risks of them using weak security practices, such as writing down passwords or storing them in spreadsheets.
Password managers exist for both personal use and for enterprise-scale deployment. Lightweight password managers also exist in most modern web browsers for users to save passwords, although these often lack additional features such as allowing the secure sharing of credentials and can create security risks as users can easily export any stored corporate passwords potentially making them exploitable in the future.
The main advantage of enterprise password managers over SAML is their far greater compatibility. Many applications, particularly legacy, on-premise apps, will not support open security standards such as SAML and OIDC which are necessary to provide passwordless authentication. Since the use of a password is mandated, enterprise password managers can be deployed to mitigate many of the security issues inherent in using credentials for authentication.
Identity Management Solutions
Using the right Identity Management solution will offer the ability to use both SAML authentication for SSO and Enterprise Password Management that offers users a consistent SSO experience across all applications.
Where compatible, SAML should be the preferred method of authentication due to its ease of deployment and increased security. For other applications where SAML is not supported, an IdP should be able to act as a password manager.
Deploying both methods of authentication in a single solution is going to give the best user experience and will support your IT team in managing the product and the business applications.
