Bad SSO - Help Users Click All the Bad Things
Poorly implemented Single Sign On can lead to confusion and cyber risk
SSO stands for Single Sign On. Single Sign On, as shown in the great diagram above, lets users in a company network sign in once (to the domain/network itself) and then have access to most or all of the systems and applications that they are authorized to use.
Using SSO has some significant benefits, such as:
It streamlines password management for IT and cybersecurity admins.
It takes away most or all of the burden of password management from standard users. Most users are not big fans of having to manage, or even think much about, passwords.
It should reduce work for the Help Desk - fewer passwords should lead to fewer problems with logging in, getting locked out of an account and so forth.
It can increase security through having less sets of credentials (username and password). Note that this has a flip side though - as it means that an attacker who compromises a user’s credentials for one system, then has access to all the other systems included within SSO.
When SSO is badly implemented though, I believe this can lead to significant cyber risk. In cybersecurity we put substantial effort into security awareness and training for all users. Our efforts in this area seek to provide messaging on concepts like the idea that it takes all of us, everyone, to keep our organizations safe and secure from the tsunami of threats we face; easy ways for all of us to “see something, say something”, report things that look out of the ordinary and suspicious, and more along these lines.
We want to make it easy for all of us to build up muscle memory for simple things in this area. Things like pausing for just a few moments when we see something that seems even just a little off before taking an action. A classic example of this is when we receive an email or a phone call from somebody we know well - a colleague, a boss, or a friend - and the email has an odd type of attachment or the phone call has a high level of urgency. Because we know these people, our immediate reaction will likely not place these things in the suspicious category - and we need that pause and little bit of extra consideration.
In an environment where SSO is inconsistent or erratic, we may well be creating the opposite kind of muscle memory. Lets say a user gets used to seeing that three days a week she logs in to the network and then doesn’t need to login to Systems X,Y, and Z throughout her work day. But she also gets to know that System X is a little goofy one or two days per week, and does ask her to sign in the first time she tries to access it, and System Z sometimes does this three or four times per day on the goofy days. System Y may often cut both ways within the same day - letting her in without a login prompt at the start of day, then requiring login in the afternoon.
If that sort of pattern becomes the norm for more than a normal rollout period and working out the kinks of Single Sign On - and worse still if the IT Support team starts to frame it as “that’s just SSO being weird today” to users - then I think it’s the start of a slippery slope for all of our users’ awareness.
Today it’s just that goofy System X being weird again, tomorrow it’s System Y, and then one not-so-fine day it’s not one of our own systems. On that day, it’s an email with a malicious link to one of our everyday use applications, that strangely asks for a login. And the credentials entered during that login are then compromised by an attacker who has just gained a foothold in our environment.
This may not be among the highest rated cyber risks in an organization, but it is one that still deserves some attention.
Yo this is so helpful for people who partner with tech teams but don’t specialize in tech. Many thank yous!