Single Sign-On – How Does it Work and What is Passwordless SSO?

Shimrit Tzur-David | October 19, 2020

An enterprise’s most significant cybersecurity weakness is something employees do at their workstations every day, often multiple times — enter a password. According to Verizon, weak, reused, or leaked passwords may be behind 80% of data breaches. 

One of the first steps enterprises can take to reduce the use of passwords is to implement SSO for their employees’ cloud and web-based accounts. However, by boosting SSO with passwordless authentication, enterprises can further augment their security posture while also reaping additional benefits.

What Is Single Sign-On?

Single sign-on (SSO) is an authentication technique that allows users frictionless access to password-protected applications and websites. As long as the applications or websites are linked within an SSO mechanism, users only need to authenticate themselves once regardless of what application or websites they want to access.

In practice, SSO centralizes a user’s authentication credentials in a single place with an identity provider. When applications are linked together within an SSO mechanism, users only have to identify themselves once rather than enter a myriad of passwords for different applications and/or websites. The SSO mechanism is able to use authentication protocols such as SAML (for on-premises systems) or LDAP (for cloud-based applications) to securely communicate user authentication between users and applications.

SSO works just like a passport. While whoever looks at your passport won’t necessarily know who you are beforehand, they do know, and trust, the country that gave you your passport. This means that all a passport control agent has to do to decide whether it’s okay to let you into their country is see your face on a legitimate passport from your county. 

An SSO mechanism acts as your passport when using approved applications and websites. When an SSO mechanism is in place, protected applications don’t need to have your identity in their database. Instead, all they have to do is use the SSO to verify your identity and access credentials with a centralized identity provider. 

If you have a Google account, you are already familiar with a version of SSO which uses cookies to maintain user verification across different applications. With Google, a single account password gives you access to a series of Google linked applications (Gmail, Google Drive, etc.). You don’t need to re-enter your password every time you switch between these applications. 

By combining an SSO mechanism with passwordless multi-factor authentication, enterprises that use various applications can gain dramatic security benefits from eliminating passwords. 

How Does Passwordless SSO Work?

Imagine an enterprise which has an SSO mechanism enabled for their employees. When an employee in this enterprise starts her workday, she first logs in using passwordless authentication (i.e., a biometric scan) to verify her identity to the SSO identity provider. 

Then, rather than asking the employee directly for her credentials when she starts her workflow and requests access to an application, the application uses SSO, linked to an identity provider, to verify that she is indeed allowed access to that application. 

The SSO then confirms to the application that all is in order. This confirmation is also recorded by a security cookie, which allows the employee to access any other application linked to the same SSO mechanism. Whenever the employee needs to switch to another application, she does not need to authenticate again. Throughout her workday, the employee can now switch effortlessly and securely between applications without breaking her workflow. 

A version of this mechanism can work with both applications and websites regardless of whether they are cloud-based (through using SAML), accessed through a VPN, or used entirely offline and on-premises.

The Benefits of Passwordless SSO for Businesses

By simplifying logins and removing the need for multiple passwords, SSO can provide a host of benefits to businesses, including:

Reduced IT support 

Any IT professional will tell you that password queries constitute a significant support headache. This statement is backed up by Gartner, who estimates that up to 40% of IT helpdesk queries are related to lost or forgotten passwords. 

By removing the need for passwords, passwordless SSO eliminates this problem instantly and can help cut down IT help desk backlogs. 

Better security through unified multi-factor authentication

Passwordless SSO allows multi-factor authentication (MFA) to be leveraged to its full potential. By improvising on traditional MFA authentication procedures with advanced cryptographic protocols, passwordless SSO places another layer of protection around enterprise applications. 

By eliminating the potential for targeted phishing scams, which can bypass 2FA, passwordless SSO dramatically increases an enterprise’s security posture against phishing attacks. 

Faster software uptake

Since passwordless SSO eliminates the need to roll out access to complex login procedures when new applications are deployed, it significantly simplifies the user experience. That, in turn, allows for more rapid software uptake across an enterprise. 

With only one log in system to coordinate, onboarding new users, particularly in regulated industries, becomes much easier.

Passwordless SSO vs. Password-Based SSO

While SSO can be combined with password-based authentication, the key to unlocking its true potential is combining an SSO mechanism with passwordless access.

Passwordless SSO allows enterprises to benefit from a single point of entry with a secure authentication process adapted to fit how an enterprise operates. Doing so streamlines the user experience by removing the arduous task of repeating MFA procedures for different applications and protects enterprises from targeted phishing attacks

This second point is increasingly important. Despite the rate of phishing attacks rising massively in 2020, a recent study shows that over 43% of employees are still unsure what a phishing attack is. Passwordless SSO deprives threat actors of their most sought after phishing target — passwords.

SSO and Remote Work

As enterprises use a greater variety of software tools, the need to provide adequate security across hybrid and distributed working environments can entail a taxing amount of authentication for remote employees. 

Passwordless SSO streamlines this experience and allows critical business resources to be securely accessed by remote and co-located workers in the same way. Rolled out across an enterprise, a cloud-based SSO solution will enable employees to safely access applications with the same ease regardless of where they are working.

SSO also allows for greater security in cloud-based environments. By giving IT teams greater visibility over user access credentials, SSO mechanisms can help prevent cloud access misconfigurations. 

The Value of On-Premise Infrastructure Support

A prevailing myth of SSO is that enterprises need to run different solutions for both on-premise and cloud-based SSO. While in the past, cloud-based SSO solutions only supported cloud SSO standards; this is no longer the case. As a comprehensive SSO solution, Double Secret Octopus allows a unified SSO environment to be fully compatible with all corporate infrastructure setups regardless of whether they are on-premises or in the cloud.