Security vs user experience? Single Sign-On provides the best of both worlds

For decades now, we have been told to protect our online and corporate identities using complex, varied and ever-changing passwords. Repetition of the same usernames and passwords on multiple access platforms was hailed as the cardinal sin, while regularly updating our log-in credentials was mooted as a sure-fire way of making cyber-criminals miss their mark by continually shifting the goalposts. The issue being that people are generally unable to remember that many unique passwords and so insecure practises creep in such as writing them down or using multiple iterations of the same password.

Now, though, there is a way for us to both have our padlock-shaped cake and eat it. Given that 81% of data breaches are attributable to weak or stolen passwords, the previous system was clearly in need of repair, so software companies like Microsoft set themselves the ambitious twin goals of strengthening security and enhancing user experience at the same time. With single sign-on (SSO) solutions that incorporate multi-factor authentication (MFA) like Azure Active Directory and Windows Hello, as well as additional security features like Conditional Access, Microsoft have simplified the problem of cyber security for organisations and individuals alike, while simultaneously making things far harder for the malicious cyber-criminals.

Fewer keys – but fewer locks

Traditional methods of identity verification can be tiresome for individual users to remember and even trickier for admin teams to control, but you’d be forgiven for thinking that such an approach to cybersecurity might promote damage limitation in the event of a breach. After all, with access portals compartmentalised and log-in credentials kept distinct from one another, a threat actor could only gain access to one isolated part of the network in the event of a successful hack. However, this outlook exaggerates the additional security provided by having many keys, without focusing on the vulnerabilities associated with having many locks.

For example, if every user in companies with around 5,000-10,000 employees has five distinct log-in identities, that’s 25,000 – 50,000 passwords and access portals which must be monitored and controlled. Estimating a conservative employee turnover rate of just 10%, that’s still 2,500 – 5,000 new passwords that must be maintained on a regular basis – not to mention the 2500 – 5000 distinct login identities which must be properly disposed of. Obsolete entry points like these are particularly susceptible to attack from opportunistic hackers, who can take advantage of a sizable attack surface and use a scattergun or brute force approach to gain unauthorised entry to the network. Once in, they can quickly navigate entire systems and elevate their access.

SSO eliminates this issue entirely by restricting an attacker’s options right off the bat. Instead of a convoluted system of multifarious passwords with an abundance of entry points for each individual user, SSO narrows down the possible field of attack to just one log-in portal. By concentrating on this single defence mechanism and making it as impenetrable as possible through the use of a strong passphrase, MFA and Conditional Access, it’s possible to link that log-in to an employee’s intrinsic identity. This makes this easier for the user and harder for the hacker, creating the perfect marriage of convenience and security.

Dispensing with passwords altogether

Indeed, through the use of newer authentication systems like Windows Hello and FIDO2 security keys, it’s even possible to bypass the cumbersome task of memorising passwords altogether. Instead, a user can choose to verify their identity through biometrics in the shape of facial or fingerprint recognition. Alternatively, creating a picture password (drawing three lines, circles or other gestures over a chosen photograph as a unique identifier) is an easier and potentially more effective method of securing an account than a character-based password, while the advent of physical security keys in the shape of FIDO2 devices allow users to carry external proof of their identity as well.

For those who struggle to remember which password they used for which site, which one has recently been updated and which one is due to be reconfigured in the near future, this new world of SSO and MFA for identity verification is welcomed by the cyber-security community. Not only does it enhance user experience and simplify cyber security protocols to the extent that they become almost invisible, but it makes a network more difficult to access at the same time. MFA is the key ingredient in this scenario, since implementing it can thwart 99.9% of all credential attacks, according to one of Microsoft’s chief specialists in its Identity Division.

Identity as armour, not just asset

As such, switching from a legacy authentication system to one which utilises SSO like Azure Active Directory and Windows Hello for Windows 10 can be all that’s needed to turn identity from the asset you’re protecting into its own strongest armour. Concentrating all efforts on creating one, unbreakable password that never needs modification, and supplementing that security via the use of MFAs and Conditional Access protocols, can be just the difference that’s needed to better protect the single account and password combination. A smoother user experience and a more stringent security setup, all in one fell swoop.

With two decades of experience in implementing high-quality IT solutions, Quorum are experts in Identity and Access solutions. We’re specialists in Single Sign-On, Multi-Factor Authentication and Conditional Access and other identity solutions, including Enterprise Identity & Access Management (IAM), Customer Identity & Access Management (CIAM), Hybrid Identity, Business to Business (B2B) and Business to Customer (B2C) solutions which promise to take your company to the next level without compromising on the all-important security features which safeguard it.

Want to learn more about how we can boost your business? Get in touch via our online contact form, give us a call on +44 131 652 3954 or drop us an email at marketing@qnrl.com and we’ll be happy to help in any way we can.