MFA vs. SSO Explained
6 Min. Read | August 22, 2022
Legacy sign-on systems that use passwords put company and consumer data at risk, increasing the organizational risk of regulatory reprimand and reputational damage. Two common methodologies to strengthen authentication defenses are multi-factor authentication (MFA) and single sign-on (SSO), but there’s often confusion about the two. Here, we discuss the major differences and similarities in the MFA vs. SSO conversation and how they can best work together.
Since 2020, attacks on authentication processes have significantly increased as attackers sought to exploit vulnerabilities opened up by the shift towards remote working. Per Kaspersky, brute force attacks accounted for 13% of all cyberattacks in 2020 and over 31% just one year later, while 89% of the organizations interviewed for our State of Passwordless Security 2022 report experienced phishing attacks over the past year.
It’s easier and often more effective for attackers to simply log in through legitimate authentication channels, rather than break in using zero days or other software or hardware vulnerabilities. Various attack methods have been developed to quickly crack the standard “username and password” system. Traditional multi-factor authentication (MFA), which uses passwords plus another factor of verification such as an SMS one-time password (OTP) or authenticator app, offers only slightly more protection.
MFA vs. SSO: What are They?
MFA and SSO are both authentication processes but have different focuses and approaches to security and user experience. Here are the basics.
What is SSO?
Single sign-on is an authentication methodology where users only need one login to access a suite of services or applications. An everyday example is how a single Google authentication check gives users access to multiple potential Google accounts. The primary purpose of SSO is to deliver a streamlined user experience, improve workflow and reduce time lost to password resets and the actual login process.
SSO also delivers benefits for IT departments. It provides better visibility into user activity and can make it easier to enforce a complex password policy. It also makes it easier to trace and stop attacks.
However, SSO introduces a clear security flaw in that it creates a single point of failure — any hacker that breaks through that SSO point gains access to every connected account. On the same note, if the system becomes compromised or is down, users can’t access their applications.
What is MFA?
Multi-factor authentication is a security protocol that requires users to provide two or more types of proof of identity. The three types of identity verification are derived from:
- Knowledge, i.e., something you know. For example a password, PIN or a security question.
- Possession, i.e., something you have. For example a smart device, secure login key or FIDO token.
- Inherence, i.e., something you are. This can only be biometric data, such as retina or face scans and fingerprints.
The purpose of MFA is to increase the number of obstacles put in front of an attacker trying to gain access to an account. For example, if a hacker obtained your password in a data breach, they would still need your fingerprint to access your account. Though MFA should, in theory, reduce the risks of a breach, there is a vast discrepancy in the effective security of different authentication factors. MFA implementation methods also affect their degree of security. Any time a shared secret is used in the authentication process, it becomes inherently vulnerable to interception and other forms of attack.
MFA vs SSO: The Main Differences
To summarize, these are the core differences between MFA and SSO:
Multi-Factor Authentification (MFA)
Single Sign-On (SSO)
A security protocol
An authentication methodology
Adds additional factors and obstacles into the sign-on process.
Seeks to reduce the number of times a user must sign in.
Adds a security layer to passwords, reduces the risk of a breach.
Makes signing on more convenient, improves workflow.
MFA vs. SSO: Which Is More Secure?
The issue of MFA vs. SSO isn’t about choosing one or the other but rather deploying them in tandem to deliver the benefits of both. If done correctly, organizations gain an improved user experience, better visibility, and greater protection against authentication and account takeover attacks. However, uptake remains slow. Microsoft found that 78% of organizations using Azure AD don’t employ MFA.
There are number of reasons why more organizations haven’t leveraged MFA with their SSO, including:
- Questionable Efficacy: Not all MFA is created equal. Many common methods (push notifications, SMS OTP) have already been circumvented by attackers. Additionally, kits are readily available online that push phishing attacks through MFA.
- User Friction: An MFA login process may require multiple steps causing user frustration, adoption resistance and a general lack of buy-in from employees.
- Authentication Overload: User friction can worsen if a company employs multiple SSOs or Identity Providers (IdPs) to log into different networks or applications.
- Deployment Cost: The outlay for implementing any new authentication infrastructure, including employee training and support costs, might be too much for already-limited IT departments.
- Productivity Loss: More time spent logging in means less time spent working. The additional steps for MFA might not seem too onerous, but they can be significant when expanded to all employees over a year.
Synergies and Improvements
There are other issues with MFA and SSO which could be solved by each other. These include the “desktop MFA gap” for SSO, whereby users must log in to their work device and then into their enterprise SSO. This creates a redundant login and a security gap between device and account authentication, which risks locally stored data and leaves machines open as a vector for attack.
Additionally, any MFA deployed with SSO should remove the use of passwords. Passwordless, phishing-resistant authentication is actively encouraged for improving security by regulatory bodies such as NIST, the federal government and the biggest tech companies in the world, including Apple, Google, Microsoft.
Make Your SSO Better With Passwordless MFA
While there are SSO providers that claim to provide passwordless authentication capabilities, they’re usually only user convenience features. For example, the user may use a biometric factor to unlock a PIN on the backend, which is then sent to authenticate the user, meaning a shared secret is still used. Only a fully passwordless MFA solution can guarantee the elimination of that vulnerability from your login process. It’s also important to decouple authentication from your SSO to further reduce the risk of fraudulent access.
The best solution for increasing security while improving user experience is to deploy robust, independent passwordless MFA. HYPR’s True Passwordless™ platform delivers secure, quick and easy logins for employees across all major SSOs and IdPs. In addition, HYPR’s secure phishing-resistant MFA can also be deployed on desktop, extending your security perimeter and reducing unnecessary logins.