Multi-factor Authentication (MFA) as an Added Critical Layer of Security for Single Sign-On (SSO) Users

Enable MFA and SSO

Choosing to enable MFA (Multi-factor Authentication) and SSO (Single Sign-On), organizations can significantly enhance their security frameworks. This article explains the importance of deploying MFA at organizations where Single Sign-On (SSO) is enabled.

Enable MFA and SSO: What You Need to Know

Organizations use MFA to absolutely confirm a user’s identity, but it does not address the creation and use of secure passwords. MFA can be used behind any and every set of unique credentials, strong or weak. However, many businesses have turned to Single Sign-On technology to reduce the incidence of password overload on employees who constantly access different digital resources.

SSO is an identification and authentication method that enables users to access multiple applications, websites, and digital services using a single set of login credentials. Once verified, users can laterally move into and out of all authorized resources without having to enter a username and password each time.

SSO is usually associated with large enterprises with sizeable employee populations to reduce the number passwords in use. While true, it’s really about the number of digital assets a user needs to access to perform their job rather than the size of the company. Even small businesses have power users who need to streamline access and ease the management of credentials to multiple password-protected accounts. SSO is used by businesses of every size – and should always be used in combination with a password manager.

SSO is a paid service offered by a third-party identity management provider. As with MFA, implementing SSO requires users to verify their credentials against an independent trusted database outside the corporate network environment.

There are different types of SSO standards that use a variety of protocols and frameworks to identify users. The most popular include Security Access Markup Language (SAML) and Open OpenID Connect (OIDC),. SSO providers include Okta, Google, Microsoft, and OneLogin. Selecting the right SSO provider and service configuration largely depends on the size, applications, and geographies in which the organization operates.

The Challenges of SSO

In theory, SSO enhances security because it encourages the use of a single, stronger credential. But what if it doesn’t? If the SSO configuration is not secure the solution can be just another speedbump for hackers on the road to a breach.

So, while SSO speeds employee connection to critical resources and gives IT greater visibility into user activity, it also presents risks to enterprise security. Nothing is perfect. SSO credentials can be compromised. Depending on the SSO set up vulnerabilities have been discovered within the SAML and OIDC protocols that give cybercriminals unauthorized access to victims’ web and mobile accounts. An attacker who cracks a user’s SSO credentials will have unrestricted access to every application, service, and website that user has permission to access.

Attackers recognize that SSO providers are an attractive target given their importance in the supply chain. Why go after one user when you can unlock every SSO account in a single attack? SSO servers and underlying protocols have been targeted by security researchers and malicious actors alike in recent years.

In fact, in 2023 Okta reported a hacker obtained client browser session cookies and login credentials for Okta’s support case management system. The breach gave them access to Okta’s client networks and the ability to potentially infect multiple clients with malware and ransomware. Shortly thereafter it was found one of Okta’s clients was attacked using a token from an uploaded browser recording file that was shared with Okta. While that effort was thwarted, it remains unknown how the attacker gained access to Okta’s case management system and if it could happen again.

Finally, there might be some apps and services that do not integrate well with SSO, and other highly sensitive accounts that simply shouldn’t be connected to a SSO system but still are, nevertheless.

For these reasons it is critical that organizations take additional measures along with SSO to improve overall security.

Enable MFA and SSO to Close SSO Security Gaps

Step one is to keep SSO credentials in a secure password management app, like Passpack.
The second and most important step for organizations using SSO is to enable multi-factor authentication

Passpack endorses the use of SSO in tandem with MFA. SSO brings the convenience, MFA delivers the peace of mind.

The Passpack Password Manager Business Plan supports three forms of MFA: Google and Microsoft Authenticators plus YubiKey hardware-based devices. Together with Google SSO, and Microsoft Azure SSO is coming soon.

For greater flexibility Passpack gives administrators the option to turn off MFA when they have SSO enabled. This functionality was added as the result of customer requests to reduce login steps. While this workflow is available, we do not recommend its use.

Passpack Endorses and Supports Enabling MFA and SSO

Passpack recommends that businesses of every size activate MFA when SSO is enabled to reduce risk. Contact us to learn more about how Passpack integrates with SSO providers and try the new Business Plan free for 28 days. See firsthand how MFA combined with strong SSO passwords and use of the Passpack Password Manager is the ultimate combination to keeping all your data safe and sound.

Share article

Get Started with Passpack Today