IS Decisions logo

IS Decisions Blog

Get the convenience of single sign-on (SSO) without compromising security

Learn how businesses can benefit from the convenience of single sign-on (SSO) without compromising security by using UserLock to secure Active Directory identites' access to Windows server networks.

Published July 20, 2017
Convenience SSO

From an end user’s perspective, single sign-on (SSO) is a great idea. You log into one platform, then get access to multiple applications, programs and sites. No need to log into each one individually. It’s convenient, quick, and hassle free. But for IT, SSO brings security risks.

Windows logon is the first line of defense against a breach

Each individual Windows login is like a troop on the frontline, defending access to the network. The stronger your passwords and access security controls, the stronger that front line will stand against attacks.

But once you implement single sign-on, you lower the number of troops on the front line. So what’s left is extremely vulnerable.

If a breach happens, attackers will have access to huge amounts of data in your Active Directory network. They've got the keys to the kingdom.

And all it takes for a breach to occur is bad user behaviour (like password sharing or unlocked workstations), exploited users (through phishing) or malicious users stealing colleague’s credentials.

SSO can increase the risk of logon compromise

Gartner financial fraud analyst Avivah Litan is spot on in this Krebs on Security article, arguing that using cloud-based single sign-on services is the digital equivalent to an organisation putting all of its eggs in one basket.

Litan goes on to explain:

“It’s just such a massive single point of failure. And this breach shows that other [cloud-based single sign-on] services are vulnerable, too.

This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”

It goes without saying: If your organization is effectively "putting all your eggs in one basket," you'd best make damn sure you protect that basket.

Combine SSO with granular MFA and contextual security

The way to do that is through multi-factor authentication and context-aware security. By adding a second authentication factor and restricting single sign on logins to particular workstations, devices, IP addresses, times of day or geographies, organisations can ensure that whoever is logging on to the system is exactly who they say they are.

That’s exactly what UserLock does. It offers secure and frictionless access to a corporate network and cloud applications, all by using on premise Active Directory credentials. When MFA is prompted, access is only possible when the user validates a second authentication factor. This can be a mobile app or a hardware device.

What’s more, as soon as a login attempt occurs outside of the restriction parameters set by the IT department, UserLock will deny the access and alert the IT department immediately who can grant or deny the access with a couple of clicks.

With UserLock, businesses can benefit from the convenience of single sign on without compromising security. Win win.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial