"Understanding and Mitigating Single Sign-on Risk"

On average, enterprises use almost 1,000 applications, so it's no surprise that single sign-on (SSO) has become a critical gatekeeper.  It provides ease of access and can eliminate the sprawl of usernames and passwords that haunt users and frustrate administrators.  Security researchers stated that while SSO is useful, it's not without inherent risk.  Since it uses a one-to-many architecture, if an identity is breached, an attacker instantly gains access to all of the resources that a particular account holder is authorized to use.  Security researchers recommend that combining multifactor authentication (MFA) and identity verification will help secure some of the gaps in SSO.  The researchers stated that identity-proofing all employees before issuing credentials is a strong first step toward bringing SSO into the zero-trust world, which requires reauthentication when risk factors are elevated.  However, to implement zero-trust access, organizations must validate a user's identity and not just require an additional authentication factor.  The researchers stated that without this fundamental understanding of identity, any authentication method, including SSO, cannot be trusted.   The researchers said that if an SSO implementation is still based on passwords, it's extremely important to establish a secure password reset process.  The researchers noted that SSO's one-to-many architecture is both a significant advantage and a weakness.  The researchers concluded that by supplementing SSO with identity verification and advanced MFA, it is possible to eliminate passwords in a safe and secure fashion.

Dark Reading reports: "Understanding and Mitigating Single Sign-on Risk"