Why You Should Remove the Password to Your Single Sign-On

Why You Should Remove the Password to Your Single Sign-On

Katie Wah

Your organization has implemented Ping Identity, Okta, or ForgeRock as your single sign-on provider. It’s easier for employees to log in to their cloud applications and services because employees only need to create and remember one password.

It’s a great first step. Now it’s time to increase the value of this investment. While employees need to remember fewer passwords, there’s still one password required to access all applications. It’s time to eliminate the last bit of friction and remove a rather large vulnerability that still remains in your workforce login.

 

Why are passwords a problem?

Passwords are fundamentally insecure. Passwords are a “shared secret” (i.e., a secret that’s shared between the service provider and the user). The fact that both the service provider and the user know this shared secret creates two attack surfaces. This design causes users to be partially responsible for keeping this secret safe.

As security and IT professionals, we’ve tried to help employees in this quest to keep their passwords safe. Over the years, we have increased the number of characters required in a password, given in-person training on what constitutes a “secure” password, and even tested our employees’ passwords quarterly. These efforts to improve password security have only had the effect of increasing employees’ login frustrations, lockouts, and password resets, resulting in costly help desk and IT tickets.

It’s no surprise that employees try to game the system. It’s common for employees to reuse passwords across multiple online services. The same password that an employee uses to log in to your single sign-on and access all their applications and data could be the same password they use to log in to a shadow IT or personal application, putting your organization at risk.

Passwords are the weakest link to the user and can be an attack vector until we eliminate them as a foundational authentication method.

 

Can passwords be protected by additional authentication layers?

The market has conditioned us to believe that we need to add another authentication method to protect the password. This is a Band-Aid solution. It doesn’t solve the root of the problem, the password, and the risks that come with shared secrets. Adding a multi-factor authentication (MFA) solution is simply not good enough.

Most multi-factor solutions use authentication methods that have their own security risks. There are known issues with mobile push notifications, where end-users absentmindedly click “yes” to allow unauthorized users in. Mobile phones, SMS, and email channels can be compromised and users can get phished. In addition to security concerns, these additional login steps cause friction for end-users. Not only do end-users need to create, remember, and change secure passwords, but they also need to pick up an external device every time they want to log in or check their email to type in a time-based, one-time password. Historically, authentication solutions have forced a tradeoff between being highly secure and providing end-user convenience.

 

Why go passwordless to log in to the SSO?

Passwordless solutions are great because they improve security by reducing the number of shared secrets while simultaneously making the login experience more convenient for employees. Think about that for just a second—a solution that reduces friction AND risk at the same time actually exists.

However, not all passwordless solutions are created equal. Here’s what makes some passwordless options better than others:

  1. Removes the password: Employees no longer need to create, remember, or change passwords to log in to their single sign-on applications.*
  2. Improves the login experience: Employees no longer need to pick up another external device every time they need to access applications.
  3. Simplifies onboarding: Employees can utilize their existing desktops, mobile devices, and tablets—no additional hardware is required.
  4. Minimizes lockouts: Employees can self-register, add, and remove multiple devices and authenticators for instant access.
  5. Reduces help desk tickets: Employees’ self-service portal reduces password reset costs.
  6. Tracks each login: Admins can easily view, in meticulous detail, data on which employee accessed what application, and from which device.
  7. Lowers total cost of ownership: Easily integrates with your existing technology stack—no additional products are required.

*Beware, the market is flooded by “pseudo-passwordless” solutions. It’s easy to get distracted by these step-up authenticators: they still require employees to create and remember passwords, and then they add a step. This creates additional friction, and it doesn’t solve the root of the password problem.

Ready to go passwordless?