Thinking About Moving to Single Sign-On (SSO)? Here’s What to Consider

What Is Single Sign-On?

Single Sign-On (SSO) is a user authentication process that allows a user to access multiple applications or systems with one set of login credentials. This means that after signing in once, the user can access other interconnected systems without needing to log in again for each one. Single Sign-On (SSO) works by using a central authentication server that all participating applications and services trust. When a user tries to access any of these services, the service requests authentication from the central server. As long as the user is signed into the central server and has appropriate permissions for the application, access is granted automatically without requiring the user to enter additional credentials.

SSO streamlines digital access for users as they move between systems and applications over the course of a workday. The average office worker uses between 10 and 30 different applications per day, including email, collaboration platforms like Slack, project management software, office productivity suites like Microsoft Office or Google Workspace, inventory systems, customer relations management (CRM) platforms, the company intranet, and specialized software for their job roles. Many professionals multitask, switching between programs and platforms several times per hour. Without SSO, workers have to sign into each system or application individually, losing valuable time in the process.

Traditionally, user login to each system was achieved through a username and password. As network and cloud-based applications have multiplied, the result has been that many people are juggling dozens of passwords every day, leading to a phenomenon known as “password fatigue.” In the modern office, employees may also use a variety of other authentication methods, such as an employee ID card for building access, a physical token for network access, and a variety of mobile credentialing apps for other physical and digital access applications. SSO helps tame the proliferation of credentials that users must manage.

In addition to simplifying the workday for users, SSO increases overall network security for organizations. Here’s how:

• Improved user compliance: Password fatigue often leads to poor password security practices, such as reusing the same password across applications or using simple, easy-to-guess passwords. Managing multiple mobile apps, physical tokens and ID cards also adds to the risk of credentials being lost or stolen.
• Reduced surface for cyberattacks: By minimizing the number of login screens and interfaces, there are fewer opportunities for attackers to intercept credentials or exploit weaknesses in various authentication systems. Users are less vulnerable to “phishing” attacks, too, since they only enter credentials once into a familiar, trusted interface. 
• Centralized authentication control: SSO provides a centralized point of control for authentication. This centralization allows for better monitoring, auditing, and management of user access and authentication practices.
• Easier rights management: When an employee leaves an organization or changes roles, their access rights can be quickly and effectively updated or revoked. This is much simpler with SSO, as it eliminates the need to individually adjust access rights across numerous applications.
• Enhanced security monitoring: SSO solutions often include tools for monitoring user sessions and behaviors. This can help in detecting unusual patterns that may indicate a security breach.
• Regular security updates: SSO providers typically maintain high security standards and regularly update their systems to address new threats, benefiting all connected applications.

Maximizing SSO Security with Modern User Authentication

While SSO improves security in many ways, it’s important to note that it also creates a single point of failure: If the SSO system is compromised, access to all connected applications might be at risk. An SSO system must be set up using modern and compliant network security standards and an SSO platform from a reputable supplier that follows proper security protocols. The user login credential is the single biggest point of vulnerability in an otherwise well-designed SSO system. That’s why SSO security starts with selecting an appropriate user authentication technology.

Many organizations still rely on usernames and passwords for the master login credentials in an SSO system. Passwords are inherently vulnerable to hacking, phishing and social engineering attacks, brute force attacks, and other strategies used by cybercriminals. Once the password is compromised, attackers have access to all the systems, files and data attached to that user login.

Secure user authentication via radio-frequency identification (RFID) cards/tokens or a secure mobile credentialing system are better choices for SSO. Instead of logging into the network with a username and password each morning, employees simply present their ID card, token or smartphone to unlock access to all the systems and files they use throughout their day. SSO can be set up using the same card, token or device employees use for building entry and other physical access control applications, creating a unified access system that is simpler for both employees and IT to manage.

RIFD and mobile credentialing systems using Bluetooth® Low Energy (BLE) or Near-Field Communication (NFC) offer numerous security benefits in an SSO system.

• User credentials are stored on the card or device and transmitted to the RFID reader in encrypted form, making them much less vulnerable to hacking, data theft or cloning.
• Users must be physically present with their card, security token or smartphone to log into the system, reducing the risk that someone else can hack into the system with stolen user credentials.
• Employees are much less likely to share a physical card, token or smartphone with a colleague than a password, reducing vulnerabilities related to password sharing. They are also much more likely to notice immediately if their card or phone is missing.
• Since employees do not know their user credentials, they can’t be tricked out of them through phishing or social engineering attacks.
• Credentials are not typed, which guards against key loggers and “over the shoulder” attacks.

RFID cards or mobile credentials can also be used in conjunction with other forms of authentication for a Multi-Factor Authentication (MFA) solution. With smartphone credentialing, MFA can be accomplished by requiring users to unlock the credentialing application using biometrics (e.g., fingerprint or facial recognition) or a password or PIN on the smartphone itself. This ensures that even if the device is lost or stolen, others will not be able to use the phone to get into the network. RFID cards can be combined with a password system for a login solution that is much more secure than a password alone. Since users only have to log in once to get access to all of their systems, managing a single password and an RFID card is not burdensome for the user.

RFID and mobile authentication make secure network and application login simple for users and ensure compliance with modern security best practices and standards. This is especially essential for organizations that are subject to stringent cybersecurity requirements, such as the N1S2 Directive in Europe.

ELATEC’s RFID readers provide the functionality needed to support secure SSO using RFID or mobile credentials. ELATEC’s Secure Log-On utilizes Power LogOn MFA software and can easily integrate with Active Directory, LDAP, thin clients, and VPN connections to assign user privileges based on user credentials.

Secure user authentication via RFID or mobile credentialing shores up the weakest link in an SSO system: the user login. By combining SSO with modern authentication technologies, companies can ensure the highest levels of network security and user convenience.