How Secure is Single Sign-On?

Single sign-on (SSO) has been a part of the process many organizations use for years to authenticate with multiple applications and websites for years securely, but its importance is often overlooked and underappreciated. With many enterprises migrating to the cloud and implementing third-party services, it is essential for business efficiency that seamless access to multiple applications from anywhere and on any device is available.

SSO makes it easy for your employees to access all of their applications without having to input a password, but many question how secure it is. This article will discuss the pros and cons of SSO, as well as attacks that have managed to evade it, and what you can do to keep your online accounts safe.

What is Single Sign-On and How Does It Work?

Single sign-on is an identity management solution that enables users to access multiple accounts by logging in using only one set of credentials. This eliminates the stress of having to remember multiple passwords as well as allows admins to manage all accounts and control which users have access to them. 

Normally, when you log in to an application, it will attempt to verify your identity before giving you access, requiring that you provide an email address, password, and sometimes an SMS or an email verification code. Once logged on, you are assigned a tracking code that essentially follows you around the web for the duration of your session, ensuring you don’t need to keep logging into the same website multiple times a day. Once the session ends, that code will expire and you will have to log in again to gain access.

Single sign-on solutions use that same general process to achieve a slightly different result.

SSO works based on a relationship established between the party that holds the identity information and can authenticate the user, called the identity provider (IdP), and the service provider (SP) or application the user wants to access. Rather than sending sensitive passwords back and forth across the internet, the IdP passes an assertion to authenticate the user for the SP. This is often done via an identity standard such as SAMLSecurity Assertion Markup Language (SAML), an XML-based open standard for transferring identity data between two parties..

Is Single Sign-On Efficient?

SSO productivity has several benefits,  so that users will not have to manage all of their accounts, or go to IT if they lose a password, and the user experience overall is more seamless.

The security benefits of SSO on the other hand On the other hand, the security benefits of SSO might not be as obvious or tempting. Does it create one single point of attack for a hacker to breach and access all of your systems? What if the SSO provider is hacked, would that put all of your accounts at risk?

Overall, implementing a high-quality SSO service can greatly improve the security of your organization. Some of these benefits include:

Managing Passwords

Password compromise is responsible for over 80% of data breach, typically because of end users choosing passwords that are easy to remember, or reusing the same passwords across multiple accounts. SSO helps prevent password compromise because employees no longer have to manage each account that they’re accessing. Instead of needing to remember dozens of passwords, employees just have to remember one. Additionally, IT teams can enforce secure password policies that mean the password meets certain complexity standards.

Multi-Factor Authentication

Another security benefit of single sign-on is that you can enforce multi-factor authentication across all of your accounts easily, and with no added hassle for the end user. This helps to prevent data breaches even if the attacker has your SSO account password, as they would also need the user’s second factor to verify their identity, such as a fingerprint scan or SMS message to a smart device.

Vendor Security

Most single sign-on vendors have strong security systems in place, but it’s important that you research solutions and implement a known reliable service. One weakness of SSO is a weak solution that is compromised or goes down, could result in you losing access to connected accounts for periods of time and any of the vendor’s vulnerabilities will also become your vulnerabilities.

However, most of the best SSO vendors have highly secure services based on compliance regulations and industry standards. Many will also never store any information like account passwords or master keys on their systems, even in the event of the vendor being compromised, your own accounts will remain protected. It’s also important that whichever vendor you choose fully discloses their policies and doesn't share client data with third parties.

Microsoft 365 and SSO Weaknesses

Hackers are attracted to large and lucrative targets as often the largest targets present the most avenues for attack. Microsoft 365 is one of those large targets with over 300 million users worldwide. Over 80% of deployed Microsoft 365 accounts have suffered an email breach and over 70% have suffered an account takeover. 

If you are a Microsoft 365 user, you must be aware of their massive vulnerability. The way that Microsoft 365 manages “federated identities” through Security Assertion Markup Language (SAML) makes it easy for hackers to infiltrate accounts, data, e-mail messages, and files within the software’s cloud. Relying on the cloud for data storage is a popular trend, despite the fact that more stories are emerging regarding the cloud’s security weaknesses. This vulnerability is only the latest example of an ongoing problem with singular reliance on the cloud for information storage and retrieval. Though Microsoft responded to the security exploit with mitigation earlier this year, it is clear that cloud storage is fallible.

Hackers are leveraging every tool at their disposal, including Microsoft capabilities themselves, to compromise sensitive information from governments, businesses, and other non-state actors who rely on Microsoft 365. It was discovered earlier this year that attackers are using Static Web Apps, a service provided by Microsoft Azure, to enhance phishing attacks against Microsoft 365 users, and create false landing pages using Microsoft’s logo. 

Threat levels have increased as ransomware and phishing attacks have become cheaper and easier to facilitate. Research has also found that cybercriminals have been targeting Microsoft 365 users with MFA fatigue attacks that work by bombarding victims with 2FA push notifications to manipulate victims into authenticating fraudulent login attempts. This attack requires that the attacker has the victim’s credentials, which could be compromised with brute force, password reuse, or spraying. The user is usually distracted or overwhelmed by the notifications and can be misinterpreted as a bug or confused with other legitimate authentication requests.

Single Sign-On Weaknesses and Vulnerabilities

While SSO is useful, it is not without risks. SSO uses a one-to-many architecture allowing an attacker to instantly gain access to every resource that a particular account holder is authorized to use if an identity is breached. Other common SSO challenges include: 

• Extra-strong passwords must be enforced: if an SSO account is cracked, others under the same authentication can also be endangered.
• When SSO is down, access to all connected sites is stopped: this is a big reason to exercise great care in choosing an SSO system. It must be exceptionally reliable and plans should be in place for dealing with breakdowns.
• When your identity provider goes down, your SSO does too: the provider’s vulnerability to any kind of interruption becomes your vulnerability as well, and it is probably beyond your control. Once again, the choice of vendors is critical.
• If a hacker breaches your identity provider user account, all your linked systems could be open to attack: this can be a classic single point of failure and should be headed off in the planning process. On the plus side, high-quality identity providers have top-notch security.
• SSO is risky for multi-user computers: what happens when one user is logged in and another needs to use the machine?
• Reduced sign-on (RSO) may be needed to accommodate different levels of access: with RSO, additional authentication servers may be required. 
• Some SSO-linked sites may give their user data to third-party entities. 

A Cyber security engineer at Heroic cybersecurity detailed his experience taking over accounts that were a part of a website deal with Github as an SSO provider, saying, “I decided to take a look on Github after starting with recon I found nothing interesting then, I moved to the next phase I started with account creation, creating an account in Github is so simple after creating the account you should be asked to verify your email with 6-digits code sent to your email, I went to my email and found that there is a link sent along with the code if you are not able to enter the code manually, the link contained the same 6-digits code sent instead of a token or something like that it was a bit interesting, there was strict rate limit if you tried to enter the code using the manual form, so it was impossible to brute force the code through it, I tried to brute force the code using the link and bingo!”

Social SSO Vulnerabilities

Social media platforms Google, LinkedIn, Twitter, and Facebook offer popular SSO services that enable users to log in to a third-party application with their account credentials. Although social single sign-on is a convenience to users, it can present security risks because it creates a single point of failure that can be exploited by attackers.

Many experts suggest that users refrain from using social SSO services altogether because once an attacker gains control over a user's SSO credentials, they will be able to access all other applications that use the same credentials.

10,000 Orgs Targeted in Phishing Attack

Microsoft recently discovered a widespread phishing campaign that targeted Microsoft 365 users by luring victims to a phony Office authentication page where it steals credentials. The second wave of attack is then executed, business email compromise (BEC), using intel gathered from their email accounts.

More than 10,000 organizations have been victims of the campaign since last year, according to Microsoft, and employ the Evilginx2 phishing kit as the infrastructure for hijacking the authentication process. According to a post by the Microsoft 365 Defender Research Team, "We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds."

The man-in-the-middle attack sets up a proxy server that gets in between the victim and the actual authentication page. Microsoft continued in its post, "Such a setup allows the attacker to steal and intercept the target's password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.” Because of this, organizations bolster MFA with conditional access policies, which assess sign-in requests based on identity, IP location, and device status.

Keep Learning

Single sign-on can provide several security benefits for businesses, especially securing accounts and improving identity management by removing the reliance on insecure passwords, implementing MFA, giving admins more control, and freeing up IT resources can all help to secure businesses. That being said, challenges arise as it can also be a single point of failure for attacks if protections like MFA are not put in place.

• Keep learning about MFA and best practices for protecting against attacks.
• Keep learning about email account compromise prevention methods.
• Get the latest updates on how to stay safe online.