April 3, 2019 By Diana Kightlinger 4 min read

Every day, the average business employee inputs credentials to authenticate identity and access apps and sites several times — using one of the 8–12 passwords the average person has, according to the “IBM Future of Identity Report.” If you get your password wrong too many times, you’re locked out and you call the IT help center to reset it, again. Which leads you, the help center and the system administrator all to think there must be a better way. Fortunately, there is single sign-on (SSO).

What is SSO? It’s a user authentication technology that requires only one set of credentials to provide access to everything you need. Once you’re authenticated on a centralized platform in an enterprise, for example, you can use a range of applications — from on-premises programs to cloud resources to software-as-a-service (SaaS) apps such as Salesforce and Office 365 — without logging in and out again.

Eliminate the Problems With Passwords

A typical employee may start with only a few credentials, but after a few weeks or months, that number will quickly increase. Furthermore, according to the “Future of Identity Report,” only 42 percent of millennials use complex passwords (versus 49 percent of people over the age of 55) and 41 percent reuse the same password multiple times (versus 31 percent). Administrators may be sympathetic to password fatigue and interrupted user experiences, but security is an even greater concern. Verizon’s “2018 Data Breach Investigations Report” listed stolen credentials as one of the leading causes of data breaches.

What users are accessing with those passwords is also critical; another key factor behind many breaches is the abuse of access privileges. Many enterprises fail to implement access management solutions that ensure employees have only the privileges they need to do their jobs. This puts the organization at greater risk given that insider threats are at the root of 60 percent of cyberattacks.

If you’re an administrator, you oversee databases that hold passwords, permissions for access to applications and resources, help center troubleshooting and support to change credentials, and training to keep users from falling for phishing scams or other hacks that could result in a breach. That can be a lot, especially for larger companies with hundreds or thousands of employees.

The solution requires taking responsibility for security away from users by eliminating the need to have multiple passwords.

Implement SSO for Seamless User Experiences

Single sign-on changes how authentication and identity and access management work. Normally, when you want to sign up for an application, the server first verifies whether you already have an account. If not, the server securely stores your email and encrypted password in a database. The server then creates a session and sends a token confirming your identity. Your browser stores the token in a cookie that verifies your identity when you’re logged in. Next time you want to log in, the server compares your password to what’s in the database and you’re in or out.

With federated SSO, however, you get another option. You’ve probably been asked if you want to sign up for an app or site using Facebook or Google, for example. Various standards, including Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID Connect (OIDC), let these web giants give third-party apps and sites access to your information.

You choose your provider — say, Google — and the third party verifies that you’re already logged in to Google. If not, you log in and then choose what information you’re willing to share with the third party. Google verifies that both you and the third party are legitimate, then authenticates you based on its own password database and issues a token back to the site. The third-party site can now associate you with the user data you’re willing to share — such as preferences, previous sales and so on — and you can move seamlessly between applications for which you have access without logging in each time.

A Win-Win for Users and Administrators

It’s easy to see why users would love SSO, whether they’re at home or at work. In the enterprise, they can use one set of credentials to access all their apps instead of remembering, looking up and frequently resetting multiple passwords. New users can sign up for accounts easily and securely, using a provider they already trust.

Administrators, on the other hand, can securely provide access to resources and applications, whether they’re on premises, in the cloud or in a hybrid cloud. But to reduce risk, it’s critical to focus on security as well as convenience.

Ensure the Upside Isn’t a Downside

Forrester emphasizes that authentication is mission-critical infrastructure in “Now Tech: Authentication Management Solutions, Q3 2018.” If an SSO provider experiences a security breach or an authenticator goes down, users can’t get online. And if only one set of credentials is needed to access a multitude of apps and resources, the security around those credentials must be ironclad. After single sign-on implementation, compromised credentials give a threat actor entry not just to one resource, but all of them.

More secure authentication should include access without passwords, such as scanning a code with a user’s phone; frictionless biometrics, such as fingerprint, voice or face recognition; and geolocation. For example, IBM Cloud Identity provides seamless and secure authentication for native, web, mobile or cloud applications via biometrics, FIDO2, Universal Second Factor (U2F), FaceID, Touch ID, email/SMS one-time passwords or soft tokens. The solution can also reduce reliance on passwords by providing multifactor authentication (MFA) to any target system, including virtual private network (VPNs), mainframes, Linux or desktop.

An ideal solution will also incorporate risk-based authentication. For example, an employee logging in from her desktop at 2 p.m. on a workday may gain access with just a single password, but a user across the globe logging in on a new device at midnight may require MFA.

Evolving With Your Ecosystem

Perhaps the best feature of SSO is its scalability; you can future-proof access management, as this case study on POST Luxembourg showed. As your enterprise changes and grows, you can continue to provide a convenient sign-on experience to users, customers and partners and a centralized solution that gives them secure and integrated access to resources via almost any device, anytime and anywhere.

IT administrators, line-of-business managers and employees all benefit from an identity and access management solution like single sign-on. It allows registered users to access applications with one set of credentials, provides a centralized place for admins to manage all protected applications and configure access policy settings, and, best of all, the cloud has made single sign-on implementation more affordable and less time-intensive than ever.

Learn how an IAM solution can benefit you

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today