Logging in can be a hassle, especially when each of us have dozens of accounts across our work and personal lives. It adds that little bit of extra friction, plus there’s always the chance that we get locked out and need to go through the arduous process of recovering our accounts. We have so many accounts, and security best practices dictate that we should have strong and unique passwords for each of these. While password managers solve some problems, the reality is that many people still reuse passwords across their accounts, because they simply can’t remember that many unique passwords. This leaves them open to credential stuffing attacks.
We can’t just skip over the authentication process and grant anyone access to our systems. Thankfully, single sign-on (SSO) gives us a way that we can reduce the amount of time a user spends logging in while still providing a reasonable degree of security.
What is single sign-on (SSO)?
Under single sign-on, a user only has to authenticate themselves once and they are then authorized to access multiple systems. One of the key components is an authentication server that is linked to multiple applications. Kerberos is one of the most popular single sign-on protocols.
With single sign-on:
- When a user wishes to sign in to the first application, they send the app a login request.
- If the user isn’t already logged in, the app will pass the user along to the authentication server.
- When the user arrives at the authentication server, it will challenge them to authenticate themselves, often via a username, password and a second authentication factor (such as a one-time PIN). If the user passes the authentication successfully, the authentication server issues them a ticket and directs them back to the app.
- Once the user arrives back at the app, they present the app with the ticket from the authorization server. The app then checks the token to ensure that it is legitimate, and if it is, it grants the user entry to the app.
This is the basic outline of how SSO works. But it’s only when the user logs in to another app that we really see the benefits. When the user goes to log in to a second app that also uses the same authentication server, they can present the app with the ticket. The app will see that the user has already authenticated themselves. Because this second app trusts the authentication server, it will grant the user access without the user having to log in once again.
In an ecosystem with many related apps that all use the same authentication server, single sign-on allows users to gain access to each of them while only having to log in once. This can dramatically reduce friction and make users’ lives a lot easier.
The downsides of single sign-on
Single sign-on can provide a better user experience, centralize administration, and it may help to discourage users from reusing passwords across accounts. However, one of the major downsides comes from the centralization. Under a traditional login system, if an attacker manages to compromise an account, they only have access to that account. If an attacker manages to compromise a user’s account on a system that uses SSO, the attacker will have access to all of the linked applications. This means that in the event of a compromise, an attacker can do a lot more damage.
Another issue that comes from the centralization is availability. If the system goes down, a user could lose access to all of their accounts until it’s back online. This can have much graver consequences than if the authentication for a single app goes down.
Despite these downsides, SSO is popular with users and the advantages can make it worthwhile. You just need to be aware of these risks before you implement an SSO system for your users.
