Improve Active Directory security with SSO and MFA

The foreseeable future of IT is hybrid. While some functions will stay on-premises, others will move to the cloud. But the increased flexibility of the cloud comes at the expense of simplicity.

With multiple platforms and SaaS applications comes a dramatic increase in administrative overhead and, to some degree, a drop in user productivity. A significant contributor to these issues is the various authentication methods that control access.

But with so many passwords to manage, no wonder users recycle and reuse their passphrases. This creates a significant threat to your Active Directory security. There is, however, a solution. UserLock allows you to combine SSO and MFA for secure access to your line-of-business apps.

What is SSO?

Single sign-on (SSO) is a way to simplify the logon process. In everyday life, SSO allows people to use one set of existing credentials from a trusted third-party service (like Google, Facebook, or Apple) to access a host of other web and cloud applications.

In business, single sign-on using Active Directory (AD) credentials is quite appealing. Users only have to remember one password, and AD retains all user authentication and account management. With SSO, your users’ AD credentials unlock access across multiple applications without (in theory) compromising the security of your organization.

What is MFA?

Multi-factor authentication (MFA) relies on a username, a password and at least one other factor to confirm a user’s identity and grant system access. The most common form of MFA, two-factor authentication (2FA) requires a second method of authentication in addition to the username and password.

This second factor — whether a code, a push notification, or a keycard — adds an additional layer of security. The idea is that even if the user’s password has been compromised, hackers will still not be able to break into the network because they cannot confirm the second factor.

What do you gain by combining SSO and MFA for Active Directory?

SSO is hugely convenient for your end users. MFA provides peace of mind for your security administrators. Active Directory keeps your identity management centralized. Combining MFA, SSO and Active Directory offers the best of all — and helps to improve system security for hybrid cloud / on-premise operations.

Productivity and security gains

For users, the biggest benefit is in terms of productivity. Because they don’t need to remember multiple passwords — or go through the logon process repeatedly — they can get to work quicker. All they need is their AD credentials and a second factor to login once, enabling access to all your AD-connected assets. The entire login process is streamlined and simplified.

There is also a productivity gain for your systems administrators, who no longer have to deal with as many password reset requests. This is particularly true if passwords need to be reset or synchronised across several applications in addition to your Active Directory store. Those time savings can be reinvested in strategic IT projects that help drive the business forward.

With a trusted SSO service you can also increase the strength of your in-house password requirements. Users are notoriously bad at remembering strong passwords, but with SSO that problem goes away. If they can successfully authenticate with the SSO provider, they can access your systems. In the background you can increase password complexity requirements; the user will never see these improvements, but your systems defenses will be stronger as a result.

Mitigating SSO risks

While a single sign-on Active Directory integration makes life easier in many ways, the systems administrator also should guard against important risks of using SSO. If attackers compromise the AD credentials, they could have access to all of your AD-linked systems. Given that 80% of data breaches are initiated through the use of stolen or lost credentials, this is a perfectly justifiable concern.

Deploying MFA alongside SSO helps to dramatically reduce that risk. Unless hackers can steal a password and pass one or more additional authentication factors (quite unlikely), they cannot access your Active Directory assets.

Combine SSO and MFA to balance security and productivity

In isolation, SSO creates as many problems as it solves. But adding MFA mitigates many of the concerns about password-related system compromise.

SSO and MFA already have value for businesses established in the cloud, but there are clear benefits as well for any organization wanting to ramp up hybrid operations. By implementing now, it is possible to simplify the transition to hybrid Active Directory without compromising cloud resources. The same authentication methods will work consistently across all systems regardless of where they are physically located.

Adopting SSO and MFA has the added advantage of allowing you to retain full control of your authentication mechanisms. This allows you to retain your on-premise AD controller for user authentication — without limiting your cloud expansion options.

Consequently, concerns about ceding control to third parties or the relative security of hosted/unknown solutions can be addressed quickly and simply because effectively nothing changes. A single sign on Active Directory integration with MFA is an ideal solution for cloud-hesitant organisations who want to be sure their systems are properly secured as they begin the transition towards hosted applications and infrastructure.