From an end user’s perspective, single sign on is a great idea. You log into one platform, which gives you access to multiple applications, programs and sites, with no need to log into each one individually. It’s convenient, quick and hassle free. But as of recent news, it’s also been proved to be a big security risk.
Single sign on provider OneLogin has been hacked, with attackers obtaining the login credentials of users “served by our [OneLogin’s] US data centre”. The worrying part of the breach is not just the unauthorised access itself, but the fact that the perpetrators have the power to crack the encrypted data they now have their hands on.
The implications of an attack of this kind are huge to organisations. Each individual Windows login is like a troop on the frontline of security for the defence of the network. The more passwords you have, the stronger that front line will be at keeping breaches at bay. However, by implementing single sign on, you effectively reduce the number of troops on the front line, rendering what’s left extremely vulnerable. Should a breach occur, attackers will have access to vast amounts of data through the keys to the castle. And all it takes for a breach to occur is bad user behaviour (like password sharing or unlocked workstations), exploited users (through phishing) or malicious users stealing colleague’s credentials.
The Gartner financial fraud analyst quoted in the Krebs on Security article is spot on, arguing that using cloud-based single sign-on services is the digital equivalent to an organisation putting all of its eggs in one basket.
Avivah Litan said:
“It’s just such a massive single point of failure. And this breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”
It goes without saying that if you’re an organization that is effectively ‘putting all your eggs in one basket’, you need to make damn sure you protect that basket.
Combine SSO with Granular MFA and Contextual Security
The way to do that is through multi-factor authentication and context-aware security. By adding a second authentication factor and restricting single sign on logins to particular workstations, devices, IP addresses, times of day or geographies, organisations can ensure that whoever is logging on to the system is exactly who they say they are.
That’s exactly what UserLock does. It offers secure and frictionless access to a corporate network and cloud applications, all by using on premise Active Directory credentials. When MFA is prompted, access is only possible when the user validates a second authentication factor. This can be a mobile app or a hardware device.
What’s more, as soon as a login attempt occurs outside of the restriction parameters set by the IT department, UserLock will deny the access and alert the IT department immediately who can grant or deny the access with a couple of clicks.
With UserLock, businesses can benefit from the convenience of single sign on without compromising security. Win win.