Single Sign On (SSO) was originally introduced as a tool for both user convenience and improved security. The idea was that rather than requiring users to memorize numerous, complex and frequently changing passwords a user could sign in once and access all of their resources through a single set of credentials.
Because the user was only required to remember a single password, an organization could require additional password complexity, thereby improving the overall password security.
SSO Security Risks
Ultimately, SSO ended up becoming a double-edged sword. While the use of SSO did indeed result in some organizations adopting stronger password policies, it also created additional security risks. After all, an attacker who gains access to a user’s master password also gains access to all of that user’s SSO enabled resources. This includes the user’s applications and the data that’s associated with those applications.
In some ways, SSO completely undermines well established security best practices. Users have long been discouraged from using the same password on multiple sites for the simple reason that if the user’s credentials are stollen then the cyber criminal can use those credentials to gain access to any resource that uses them.
While it is true that SSO does nothing to increase the risk of a credential stuffing attack, the end result is essentially the same.
While it is easy to think of such scenarios as being theoretical, it is important to remember that an SAML injection attack was discovered last year that would allow an attacker to exploit weaknesses in SSO and gain access to user accounts.
Making SSO More Secure
There are several things that an organization can do to make it’s SSO implementation more secure.
First, it’s extremely important to adhere to zero trust principles and to use Least User Access. Least User Access is the practice of making sure that users do not have access to any resources that are not specifically required in order for them to do their jobs.
Limiting user permissions in this way can help to reduce the amount of damage that could occur in the event that a user’s credentials are compromised.
Another extremely important step in making SSO more secure is to require the use of multifactor authentication.
Multifactor authentication helps to prevent an attacker from being able to login by using a stolen set of credentials. Upon entering the username and password, the attacker is required to prove their identity through a secondary means of authentication.
Multifactor authentication can be implemented in a variety of ways, but one common example involves sending a numerical code to the user’s smart phone. The user is unable to complete the authentication process until they enter this code. The idea behind using this technique is that an attacker who has stolen a user’s credentials is unlikely to also be in possession of a user’s smart phone.
Another thing that you can do to make SSO more secure is to make sure that the initial authentication process is controlled by a strong identity provider. Ideally this means requiring users to authenticate against the Microsoft Active Directory.
The Active Directory allows organizations to establish a strong password policy based on its own security requirements. Better still, Microsoft has designed the Active Directory to be extensible, which means that you can use a third party products such as Specops Password Policy to vastly improve password security.
Specops Password Policy for Improved SSO Security
There are two main ways that Specops Password Policy can be used to make SSO more secure. First, Specops Password Policy improves upon the password policy settings that are built into the Active Directory.
Although Windows Server does allow you to create password policies that are built around length, complexity, and age requirements, there are limits to what you can do using native group policy settings.
Specops Password Policy augments the native password settings by adding other essential controls such as the ability to block the use of incremental passwords or to prevent certain passwords from being used (such as passwords that contain the name of the organization).
Another way that Specops Password Policy can improve SSO security is by monitoring passwords to make sure that they have not been compromised. Specops maintains a database of billions of passwords that are known to have been leaked. Specops Password Policy is able to monitor a user’s credentials to make sure that they do not show up in this database. If a user’s password is found to have been leaked, that password can be immediately expired before the account can be compromised.
You can test out Specops Password Policy in your Active Directory anytime for free.
Source: https://www.bleepingcomputer.com/news/security/minimizing-the-security-risks-of-single-sign-on-implementations/