Is Single Sign on a Security Risk?
The majority of computer operators and people alike maintained one user ID and password. The single sign on facility fulfill their operation requirements. From security point of view, there are inherent risks for company deploys single sign-on function on their network infrastructure.
Single sign on infrastructure
Let take a closer look of single-sign on
- No need to remember many user IDs and passwords
- Simplified operation procedure
- Improves the effectiveness/timeliness of disabling all network/computer accounts for terminated users.
- Reduces the time taken by users to log into multiple applications and platforms
Single-sign on drawback
- Same password on all your various web services, it is also dangerous to let one username/password combination unlock all the resources.
- Single high-value target (attracts more attackers)
- Side channel attack against authentication step
- never know how secure your system is or if there is a breach
Single sign on increase the difficulties of application protection
SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security. There are more techniques to attacks single sign-on application today. For more details, please see below:
- Single Sign-On phishing
- SSO profile was vulnerable to a Man-in-the-middle attack
- Replay Attacks
- XML Signature Wrapping vulnerability in SAML protocol
GIAC as a pioneer point out single sign on security concerns on their global information assurance certification paper. The article bring an idea to the world that each operating system and application has it own set of security requirement for both user user ID and password. In the sense that SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security. Since enterprise firm need compliance, fulfill audit requirements. Please be noted that compliance may not equal security. Let’s think it over, one single password that could access all key applications. Does it on a security risk?