Single Sign On (SSO) was introduced as a user convenience and improved security tool. The idea was to give a user the ability to sign in once and have access to all their resources through one set of credentials. Organizations had the ability to require more password complexity, which improves overall password security. Unfortunately, this option has created additional security risks. If an attacker gained access to a user’s master password, they would also gain access to the user’s enabled resources, applications, and data associated with those applications. One example is an SAML injection attack that was discovered last year that allows an attacker to exploit weaknesses in SSO and gain access to user accounts.
Users are often reminded to never use the same password on multiple sites for the simple reason that an attacker could gain access to any resource using that same password. SSO does nothing to increase the risk of a credential stuffing attack, but if the master password is obtained, the result is essentially the same. To make SSO more secure, it is recommended to adhere to zero trust principles and to use Least User Access. Limiting user permissions can help reduce the amount of damage that could occur if a user’s credentials are compromised. Another way to make SSO more secure is to implement multifactor authentication, which helps prevent an attacker from being able to login using stolen credentials.