If you’ve ever logged in to Candy Crush with your Facebook account, or confirmed your identity before making an online purchase by signing in via Amazon or Google, you’ve used single sign-on.
With single sign-on (SSO), a centralized user authentication service allows you to use one set of login credentials to access multiple applications or platforms. In other words, one website relies on another trusted site to verify your identity.
It’s practical and convenient. Single sign-on can save you time and reduce the hassle of repeatedly resetting forgotten passwords. Because you need to remember fewer passwords overall, you’re more likely to choose longer, stronger, and more complex credentials—the kind that are more difficult for attackers to compromise. And you’ll probably make fewer help desk calls.
How Does Single Sign-On Work?
SSO systems were designed for security. Rather than passing your actual username and password between websites and apps, these services instead share an access token. An access token is like a notification of approval: it indicates that a user has been authenticated, and is authorized to perform certain functions, but access to their private data or credentials is not given.
An access token works somewhat like a credit card transaction approval number. It’s a code or key that enables one website or application to use the services of another, without sharing all of your account details.
Most of the companies—including Microsoft, Facebook, Amazon, Twitter, and Google—that provide SSO login services to individuals rely on the same standard protocols. Called OAuth, these protocols are intended to be secure, simple, and highly standardized, making them suitable for widespread use.
Businesses usually instead employ Security Assertion Markup Language (SAML) based protocols in their internal single sign-on access systems. With increasing numbers of small and mid-sized organizations making use of cloud-based services, using these SSO systems can improve security and make it easier for IT administrators to manage access to diverse web-based applications and resources.
Is Single Sign-On Secure?
Generally speaking, single sign-on is no more or less secure than the centralized authentication service that you’re using. For instance, if you’re using Facebook to log in to third-party applications, your credentials are being stored in accordance with Facebook’s encryption standards, and access to your account information is governed by Facebook’s privacy policies.
Most SSO authentication providers are deeply concerned about security and devote a great deal of attention and resources to it. Their systems usually have extensive security measures in place and protect user passwords with strong encryption, so they can’t be accessed even if they provider’s systems are compromised.
In contrast, smaller e-commerce businesses usually don’t have the time or money to develop their own login and security systems, and those that do may not be able to implement systems that are as robust as those of major SSO providers.
What Are the Drawbacks to Single Sign-On?
SSO establishes a single, centralized point of failure for multiple account logins. So if, say, Google stops working, you cannot access all the accounts that you usually log into with Google. And if Facebook suffers a data breach, hackers may be able to compromise the access tokens that Facebook issues as well.
Because SSO increases the number of accounts and resources that you can gain access to from a single account’s login credentials, if that account gets compromised, a hacker might be able to gain access to more of your personal data or account information than if you weren’t using it.
All in all, creating strong and unique passwords for each of your user accounts individually might well offer better security than SSO, but only if you can remember these passwords, change them regularly, and keep them long, un-guessable and containing a good mix of numbers, letters, symbols, and special characters. In the real world, for the majority of users, single sign-on is likely to be a better solution.
What are Best Practices for Single Sign-On Security?
Implementing SSO has numerous benefits for businesses. It improves productivity and reduces password fatigue. Coupled with employee training, it can significantly improve overall password hygiene within your organization. SSO can also make it easier to introduce secure bring-your-own-device (BYOD) policies.
It’s important to select an SSO system that supports secure storage of authentication credentials and encryption keys. It’s also critical to ensure that you’ve properly segmented your network to protect your main identity service within your IT environment.
Adding multi-factor authentication (MFA) to your SSO implementation can improve security significantly without compromising convenience. With MFA, users are required to verify their identify through additional means, such as via a second device or with a separate security token. MFA can be implemented for access to high-risk or sensitive systems only, or more broadly throughout your organization.
Here at Edge Networks, we have in-depth experience helping our clients balance their needs for security, usability, and convenience. To learn more about choosing a single-sign on solution for your business, contact us to schedule a free assessment.
Or watch this video to hear Josh McKinney, our CIO, give a brief overview of this technology and how it can work for you.