Single Sign-On explained
Benefits of SSO and what to consider before clicking "Sign in with Facebook"?
What is SSO?
Single Sign-On is an authentication method where a single set of credentials (username + password) allows a user to access multiple services and applications. You’ve definitely seen this when prompted to sign in to some websites/apps with Google, Facebook, Apple, etc.
This scheme involves 3 parties: an end user, a service provider and an identity provider. When the user logs in to a service using SSO, the identity provider authorizes this process. For seamless access to the third-party service, the user must be logged in to the identity provider's account, otherwise the user will be prompted to log in first. For instance, when you are signed in to your Google account, you can access all services which connected with it, but if you sign out of the Google account, you will lose that access.
The advantages of this approach are that the user doesn’t need to have separate credentials for each service and service providers don’t store the user’s password. However, the approach also poses a great risk in case if a malicious actor obtains the user's SSO credentials.
To protect your SSO process, we strongly recommend enabling 2-factor authentication. And you’d better have separate credentials for critical services (and protect them with 2FA/MFA, of course).
To sum up, SSO is a very convenient authentication method, but you should be prudent choosing in which cases to use it.
So, how secure is SSO with third party services?
As we have already learned, Single Sign-On can be really convenient allowing a user to access numerous services with a single set of credentials. Lazy by nature, we tend to click Sign in with Facebook (or any other available option) just to avoid this (seemingly) painful process of registration.
What can go wrong?
In the worst case, if a hacker were able to obtain your SSO credentials, they would have access to all accounts under that authentication umbrella. Nevertheless, you can protect your accounts with 2FA where possible, but those without 2FA options are at risk.
We should also mention that if the SSO provider is unavailable for some reason (their server is down or their website is prohibited in your network), you won’t be able to log in to the services connected to it.
And we should also keep in mind privacy. The more you use SSO, the more its provider knows about you. It's also worth noting to mention that service providers have access to some of your personal data from the identity provider (for example, it may be public info from your social network if it’s an identity provider). You can limit data sharing in your privacy settings.
Basically, SSO is much better than using weak passwords and reusing them. It can also be reinforced with 2FA/MFA. But still weaker than using a password manager which securely stores passwords and generates strong and unique ones for each of your accounts.
For example, our Corporate edition of the PassSecurium™ password manager works with Azure AD, the latter being the SSO provider in this case. Not only does PassSecurium™ authenticate users with their Azure credentials, but it also maps user roles and grants permissions appropriate to the user role.
We hope that this article was helpful and clarified the intricate topic of Single Sign-On topic for you!