Several major enterprises have adopted SSO in recent years, allowing corporate workers to access multiple websites with a single password.
Founder and CTO of BitSight Steven Boyer credits SSO with boosting productivity and decreasing wasted time. This is because employees need to remember fewer passwords, and IT workers do not have to keep track of lost passwords.
Meanwhile, companies are at risk of grave consequences as SSO credentials are sold on the Dark Web.
The credentials associated with SSO belong to trusted users within a company. If they are misused, threat actors have access to a wide range of company applications, depending on their privilege level.
According to Boyer, SSO credentials can be bought and sold just like anything else on the dark web. A bad actor could take advantage of this and gain access to a company's internal systems by purchasing the company's SSO credentials. They could then act as trusted insiders.
One of BitSight's reports noted that Okta was recently the target of threat actors and hacked by a third-party service provider.
Founder and CEO of Okta Todd McKinnon has advocated the elimination of passwords in the current threat environment, saying they aren't adequate for authentication. The Okta spokesperson says customers need multiple authentication mechanisms.
”Risk-based authentication can be combined with authenticator choice in order to significantly improve security postures and reduce breach risks,” an Okta spokesperson said.
In order to prevent single sign-on theft, BitSight recommends organizations implement adaptive MFA. Adaptive MFA refers to requiring MFA if suspicious behavior is detected, depending on time, place, and other factors, according to Boyer.
By using a physical key, universal two-factor authentication can verify the identity of a user. For example, if an attacker attempts to gain access to a system via a site controlled by the attacker, universal two-factor authentication should prevent the attempt.