SSO and MFA : The Guide to Overcoming Security Limits
When talking about SSO and MFA, some may get mixed up, or perhaps don’t fully understand the added value of combining both of them. Single sign-on (SSO) is all about users gaining access to different apps with a single authentication. As for multifactor authentication (MFA), it adds a layer of security upon authentication to verify the user’s identity.
Understanding what is SSO and how it works
Single sign-on (SSO) is an authentication method allowing a user to use one set of login credentials – most of the time ID + password – to authenticate at the beginning of his/her work shift. This way, the user can enjoy access to multiple applications and websites without having to lose time login in again. A kind of “master sign-on”.
Each time a user logs into an SSO service, the service will create an authentication token that remembers that the user is verified. Any application or website that the user later visits in his work shift will check with the SSO service who will send the user’s token to confirm his identity and give him access. You can imagine this token as being the “keys to the castle”. This means that when a user logs in to another application or software after his first “master sign-on”, the SSO solution logs in on their behalf.
This master authentication made possible by a SSO solution must be protected by an additional and complementary solution called MFA (Multifactor authentication).
Beware of the security limits of SSO
Surely SSO is a gift to users: being able to access everything without additional login. But with this added value in productivity comes an increase in security concerns, with a need for a more secure environment.
Imagine if a hacker gained access to a user’s SSO credentials. This means that all other applications and resources to which the user has access are compromised. It’s like putting all your eggs in one basket.
Get the best of both worlds by combining SSO and MFA
If you are an organisation that “puts all its eggs in one basket” using SSO, then you need to be sure to protect that basket and secure it’s access. The answer is not to remove SSO, but rather to fill in the security gaps without compromising the user experience.
This makes it essential to deploy additional authentication mechanisms beyond a simple combination of ID + password. With SSO you need to ensure that access and identities (credentials) are well protected and secure, for example by combining it with a strong authentication solution (MFA).
According to Microsoft, MFA blocks more than 99.9% of account compromise attacks.
Universal B2B / B2C multifactor authentication
TrustBuilder allows your users to access their applications securely and in a very simple way, whether they are in the office or remotely, with or without a connection, no matter which device they are using.
Business
Enhanced security. Using an SSO solution limits the “zone of attack” for cybercriminals and makes it easier to implement enhanced security measures across multiple services at once. Adding MFA will back up the level security of an SSO solution. Agility and productivity. SSO+MFA is a way to boost agility and productivity as it provides employees immediate access to thousands of applications in a very secure way.
User Experience
No more password hassle. Combining SSO with a passwordless MFA is “the cherry on the cake” when it comes to the user experience. Faster and seamless login experience. SSO offers a faster login experience and some MFA technology can simplify the "master login" experience.
IT management
Simple user access management and auditing. SSO can be used to configure a user's access rights, for example according to his role, department and/or seniority level. In addition, when an employee leaves the company, it is easier to remove their login privileges. Fewer helpdesk activity. Enabling SSO is a great way to reduce the number of end users calling for support because of a password issue. And by choosing the right MFA solution, you can go passwordless, which reduces even more the helpdesk activity.
Not all MFA solutions will secure your SSO to the same extent
Not all MFA solutions are the same as the technologies behind them are quite different. There are several other criteria to consider when evaluating the security and user experience of the different vendors.
As Gartner points out, while some authentication solutions claiming to be “multi-factor” are really just “+1FA” tools adding a single additional factor to an existing password, there are MFA natively 2-factor and passwordless.
Single Sign-On (SSO) is a method of authentication that allows a user to access multiple applications and websites without the time-consuming task of logging in to each one. Only 1 login is required for all applications, a kind of “super login”.
The most obvious advantage of SSO is the time saving for the user, which is a productivity gain for the employer. But beware of security risks. That’s why it’s important to combine it with an MFA solution to get the benefits in terms of user experience, security and IT management.
Whenever a user logs into an SSO service, the service creates an authentication token that will remember that the user has been verified. Thus, any application or associated website that the user needs to log in to later will check with the SSO service, which will send the user’s token to confirm their identity and grant access.
