As the need to access more networks and more applications grows, securely verifying someone’s identity has become critical. Many organizations are implementing solutions such as single sign-on (SSO) and multi-factor authentication (MFA) because cyberattacks are more prevalent and ruthless than ever before. In fact, the latest Data Breach Investigations Report from Verizon has found that 82% of breaches involved human elements such as social attacks, errors, and misuse.
Although deploying SSO or MFA can help organizations prevent many of these attacks, neither solves every problem. In fact, the wrong SSO or MFA solution can introduce new security issues or prevent legitimate users from accessing the applications and information they need to do their jobs.
The pros and cons of SSO
SSO is popular because it’s easy for users. It allows a user to log-in using an already trusted third party for verification. For example, many consumer web sites use SSO so you can log in with your existing Apple, Google, or Facebook account.
The biggest disadvantage of SSO should be obvious. If you don’t have strong encryption deployed when the sign-in information is passed from one application or site to another, it’s a huge security hole. Even worse, if a hacker can gain a foothold, they can potentially compromise other systems used by SSO.
Another issue for users is that SSO acts as a single point of failure. If any of the systems that use SSO are compromised, users won’t be able to access anything until the problem is resolved. In other words, SSO could wind up locking out your legitimate users and preventing them from accessing the apps and resources they need to do their jobs.
The pros and cons of MFA
MFA is more secure than SSO because it uses multiple factors to verify a person’s identity. Instead of just a username and password, it also includes other “factors” such as a smartcard, one-time password (OTP), FIDO token, or other authenticator. Although it’s more secure than SSO, because of the extra factors, it’s not as easy for people to use as SSO.
Because MFA is also sometimes more difficult to deploy than SSO, some organizations use SSO until something happens, at which point they realize SSO simply doesn’t offer enough protection. As noted, SSO should never be implemented without strong encryption and authentication methods, but even then, organizations often discover that the convenience of SSO comes at a price, so they start looking around for MFA solutions.
Using both MFA and SSO
The good news is that the MFA-SSO decision doesn’t have to be an either-or situation. It’s clear that SSO on its own isn’t enough, but organizations can combine SSO and MFA to improve both security and user experiences.
You can use both MFA and SSO together, but it’s more expensive and complicated to use a combination from multiple providers. Administering and integrating multiple products is more complicated and more expensive in both time and licensing costs than it is to set up a complete, unified identity and access management (IAM) solution that provides both MFA and SSO.
When looking at solutions, make sure you take all your needs into account. Here are a few questions to consider:
- Do you need both cloud and on-premises authentication? Many solutions are cloud-only, so if users need access to on-premises resources, make sure the solution supports it.
- Do you need high-availability features, such as offline authentication? What happens if the cloud system isn’t available? If users always need to be able to authenticate, look for on-premises failover, which enables users to authenticate even if the network or Internet connection is temporarily unavailable.
- What authentication methods do you need? If your organization has areas where mobile devices aren’t permitted, look for solutions with a wide breadth of authentication methods, such as hardware tokens that can be used in situations where software authentication isn’t possible.
- What environments do you need to support? If you have a hybrid endpoint environment, make sure the identity solution offers holistic multi-factor authentication (MFA) across all the environments you need such as Windows, Linux and Mac.
RSA identity and access management
With RSA, you get the reliable performance, flexible choices, and adaptive approach to authentication you need to secure access to resources in the cloud and on-premises with 99.95% availability. RSA doesn’t store passwords for SSO applications, and all communications are encrypted by default.
Our multi-factor authentication options can be tailored to your user environments, user/device risk profiles, and organizational preferences with options to use biometrics, OTP, push to approve and passwordless authentication. And with flexible RSA ID Plus plans, you can easily and seamlessly extend on-premises capabilities to the cloud over time, depending on your cloud strategy.
Learn more about RSA identity and access management solutions.