Users love single sign-on or “SSO” because it makes their lives easier. IT loves it because it makes companies safer. But SSO as it’s been deployed to date has two inherent limitations that keep it from extending value across the whole enterprise.
As we’ll see here, these limitations can be overcome using a forward-looking passwordless approach to bridge gaps in coverage and compliance—without a hefty additional investment.
What you’ll learn:
- The three main limitations of most SSO platforms
- How to eliminate passwords and extend SSO across your organization
- How to build a future-ready passwordless SSO with the Octopus platform
What is single sign-on and how does it work?
Users log into single sign-on portals and immediately gain access to multiple applications and websites all in one place, secured and sanctioned by their organizations. For users, SSO reduces the number of passwords they have to remember and the number of times they need to authenticate throughout the day — typically to once per day or each time they reconnect to the company network.
That reduces friction and the odds of credentials getting compromised, which also makes IT happy. SSO also makes life easier for IT and security teams by reducing Help Desk calls from users struggling to log into various applications and services.
So far, so good. So, what’s wrong with SSO as we know it?
Today’s SSO has hit a brick wall
Make that a few walls. SSO as most companies know and deploy it today has reached its practical limits for three reasons. Most SSO:
- Creates a new attack vector
- Provides only limited coverage
- Continues to rely on passwords
Let’s break these challenges down.
A single point of entry = a single point of attack
Concentrated access equals concentrated risk. Because companies consolidate access for many apps and services behind SSO, the portal itself becomes a compelling target for cyber attackers, a potential digital ‘single point of failure.’
Should attackers manage to sneak into the portal – the modern-day equivalent of sneaking past the firewall – hackers immediately gain access to every tenet’s app and user accounts. Savvy threat actors have already begun figuring this out, as with the breached Oracle Cloud SSO login servers.
“SSO bypass” risk on the rise
When SSO policies aren’t uniformly or strictly enforced, malicious actors can more easily authenticate directly to an application supposedly secured by SSO using stolen credentials. Logging into the app outside of the SSO’s centralized control creates a universal entry point for accessing vital resources without triggering detection by security controls.
SSO only works with modern SaaS applications
The other inherent limitations of today’s SSO is partial use case coverage. Virtually all solutions only work with SaaS applications and platforms – Google Workspace, SFDC, Workday, O365—out of the box. And yes, that covers a significant percentage of productivity tools for many workers’ daily routines, but that’s not enough.
Gaps in coverage create two very different problems and with distinct sets of consequences:
SaaS isn’t everything for workers
Most workers still need to log into other apps and services throughout the workday not connected to the SSO portal. These ‘disconnected’ apps include on-premises, legacy, and line-of-business applications and network services like VPN, RDP, and VDI at some point during the day. That means maintaining parallel authentication workflows, and often multiple sets of usernames and passwords, and possibly hardware keys, smartcards, and other types of authenticators.
In this scenario, users’ lives get more complicated by having to maintain multiple workflows. This discontent paves the way for mistakes, complaints, and dangerous workarounds.
Partial coverage = partial compliance
For heavily regulated sectors like government, critical infrastructure, healthcare, and financial services, all users and privileged admin logins must comply with mandates for strong authentication. While SSO might satisfy these requirements for protected SaaS applications, all those other apps and services users continue to type out passwords on every access.
In this second scenario, IT and compliance teams’ lives become complicated by treating non-SaaS applications as exceptions to the rule — and some rules can’t legally be broken. The limitations of SSO’s use case coverage leave IT and security teams with much more work to enforce policies, maintain clear audit trails, and demonstrate adherence to best practices to their customers, regulators, cyber insurance providers, and other third parties.
While these two fundamental gaps should be addressed today, SSO’s other inherent limitation stands to create even greater challenges down the road. Namely:
Most SSO isn’t passwordless
Most vendors’ SSO starts with a password login. When passwordless authentication methods are enabled, like FIDO or biometrics mobile push, the password authentication option is left available for the user’s convenience and attackers to exploit.
Passwordless means no passwords
This should be an obvious statement to make, but leading vendors take liberties with their definitions of ‘passwordless.’ With a true passwordless authentication platform, users never need to set, remember, enter, reset, or guard passwords with their lives. Ever, including for fallback when authenticators fail or go missing.
That’s what must change for SSO to enter a new era of technical maturity and deliver value to enterprises.
The future of SSO is passwordless SSO — that works everywhere in the enterprise
As a centerpiece and central control point for securing company assets, SSO should extend to everything in the enterprise. As a critical component of identity and access management (IAM) and compliance programs, it should also be passwordless.
Octopus extends SSO user experience to password apps
Octopus takes a unique approach to extending the single sign-on user experience to password-based apps, allowing businesses to expand secure, easy access throughout the enterprise. Here’s how we do it:
- The Octopus passwordless authentication platform replaces users’ directory password entries with machine-generated tokens that users never know exist.
- Once the user satisfies the initial authentication requirements by logging into their managed desktop computer, Octopus starts tracking their sign-in status.
- When the user accesses IT-managed SSO web portal applications, Octopus grants access as any SSO identity provider (IDP) would.
- When the user accesses a password-based application that IT added to the Octopus-managed application list, the platform checks that the access request meets approved policies. If cleared, Octopus injects the user’s assigned tokens into the credential field and completes authentication without user intervention. The process takes place seamlessly; the tokens expire (too fast to be phished or intercepted), with no recoding of applications or reconfiguring of identity directories required to support the frictionless login.
- Users can then access every app safely behind the SSO portal or approved password-based apps that IT assigned to the Octopus.
- After remaining idle for a set period, the users will be prompted to reauthenticate to the Octopus platform quickly and passwordlessly.
End-to-end passwordless authentication avoids friction and phishing
Removing passwords from every access makes security exponentially stronger. Passwordless authentication preempts risk from phishing in all its many forms – vishing, quishing, whaling, man-in-the-middle (MITM) attacks, and others. That represents a huge benefit since, even with today’s predominance of MFA, compromised credentials still factor into 80% of data breaches year after year.
From there, having the same passwordless authentication platform automatically log users into the SSO portal helps companies achieve strong NIST AAL3-compliant authentication that meets even the most stringent security requirements. And, delivers a seamless and frictionless experience for users.
Aside from making authentication stronger company-wide, passwordless SSO delivers a vastly improved and simplified login experience to users. When you extend that to protect everything, issues with frustration, fatigue, and forgotten credentials get resolved.
Check out the blog, “What is Passwordless SSO?”
Octopus extends your IAM vendor’s SSO investments
Octopus passwordless SSO improves upon—and works with—other SSO approaches from Microsoft Entra, Okta, Cisco Duo, and IAM vendors. Our compatibility with other technologies lets customers extend secure SSO to everything in their enterprise out of the box, and extend the value of existing investments.
Coverage can be extended quickly and easily to password-based applications and network services that would otherwise require heavy lifting by IT to support passwordless login. Login friction decreases as users access everything in the enterprise in a fraction of the time, and at a fraction of the cost.
Octopus:
- Works with leading IAM vendors to extend the value of investments
- Requires no redesign of password-based apps and network services (VPN, VDI, RDP, VNC)
- Delivers zero-trust, phishing-resistant MFA
- Accelerates time to value as businesses achieve full passwordless coverage in days
The future of SSO is now—get started today.
FAQ
What is “SSO bypass”?
SSO bypass occurs when SSO policies aren’t uniformly or strictly enforced. Malicious actors may authenticate directly to an applications using stolen credentials outside the SSO’s centralized control then access all the other apps the service supposedly protects. Circumventing SSO creates a universal entry point for accessing vital resources without triggering detection.