Since its invention in 1960, the computer password remains by far the most widely used method of authentication. Yet perhaps unsurprisingly given the age of the technology, passwords are as problematic as they are common, being involved in over half of data breaches according to Verizon.
With the average enterprise using over 250 cloud apps, the prospect of employees remembering unique, strong passwords for each of them is simply impractical, even ignoring the potentially even greater number of personal passwords users must also memorise. As a result, users tend to resort to several practices to deal with the problem:
- Password reuse – an insecure practice that greatly increases business risk. If an application password is compromised, that application and all other apps using the same credentials can also be compromised. When passwords are leaked during a data breach, they are also frequently exchanged or published on the dark web for use in future attacks.
- Using simple, easy-to-remember passwords – In general, the easier a password is to remember for a user, the easier it is for an attacker to crack it. Using personal details which can easily be traced through social media, or other common passwords all increase the risk of a successful cyberattack.
- Writing down or storing passwords insecurely – this presents an easy opportunity for credential theft, and can make data breaches far more serious when credentials are stored in the cloud, allowing attackers to potentially gain access to every other application in use. Digital devices which synchronise with the cloud also present a security risk if they are lost or stolen. In addition, writing down credentials can also introduce a risk from internal employees and any visitors or contractors on local premises.
Even training employees on cybersecurity does little to change user behaviour. Research carried out by My1Login found that even among employees who have received cybersecurity training, 85% still reused passwords, and training had no effect at all on users choosing to write their passwords down.
Fundamentally, the problem is due to the fact that end-users are forced to adopt insecure practices, such as reusing and writing down passwords, because of the impracticality of remembering so many passwords. As organisations transform to the cloud, the issue only worsens, as there are an increasingly large number of usernames and passwords to remember and manage. With humans as the central limiting factor, a technological solution is required.
How Single Sign-On solves the problem of passwords
While Single Sign-On (SSO) can be viewed as a tool that improves user experience and productivity, its most important benefits lie in security. SSO can replace passwords with secure tokens using open security standards such as SAML and OIDC, or some can incorporate Enterprise Password Management to automatically generate strong, unique passwords which are undisclosed to users, and automatically enter them into login forms.
This prevents many of the most common methods attackers use to gain unauthorised access to applications protected by password-based authentication. Passwords are typically compromised in one of three ways -
- Credential stuffing – Making use of credentials from previous data breaches available on the dark web, attackers will try known combinations of usernames and passwords to gain unauthorised access
- Phishing and social engineering – Users are tricked into giving away their passwords by entering them into a spoofed site
- Brute force attacks – Weak passwords can be targeted by repeatedly guessing combinations, which prioritise commonly-used passwords first
SSO addresses the vulnerabilities of passwords and prevents these three methods from being effectively deployed by attackers. Clearly, when passwords have been replaced altogether by passwordless authentication via secure tokens, these forms of attack are no longer possible. Where passwords do continue to be used, due to limitations of the application, and Enterprise Password Management is used to authenticate users, the risk from these attacks is also mitigated. The passwords generated from Enterprise Password Management solutions are typically complex and unique, preventing brute force attacks and the risk of credential stuffing from reused passwords. Since the passwords can also be undisclosed to end-users, employees also cannot be phished of passwords if they are unaware of what they are.
Within the SSO solution, whether passwords or secure tokens are used to authenticate, the end-user experience is the same. After authenticating with the corporate directory, employees need only access an application to be automatically authenticated – no more time spent managing, remembering or entering passwords to gain access. In addition, some SSO solutions can automatically discover new apps being used by employees, allowing administrators to easily include them within the SSO solution, mitigating security risks from Shadow IT
By taking the responsibility of creating, managing and entering passwords away from employees, the human factor is ultimately removed as a limitation and a strong password policy can be effectively enforced, or passwords removed altogether, eliminating a number of the most common attack vectors available to cybercriminals.
Find out more on how SSO can protect your organisation against data breaches.
