Legacy sign-on systems that use passwords put company and consumer data at risk, increasing the organizational risk of regulatory reprimand and reputational damage. Two common methodologies to strengthen authentication defenses are multi-factor authentication (MFA) and single sign-on (SSO), but there’s often confusion about the two. Here, we discuss the major differences and similarities in the MFA vs. SSO conversation and how they can best work together.
Since 2020, attacks on authentication processes have significantly increased as attackers sought to exploit vulnerabilities opened up by the shift towards remote working. Per Kaspersky, brute force attacks accounted for 13% of all cyberattacks in 2020 and over 31% just one year later, while 89% of the organizations interviewed for our State of Passwordless Security 2022 report experienced phishing attacks over the past year.
It’s easier and often more effective for attackers to simply log in through legitimate authentication channels, rather than break in using zero days or other software or hardware vulnerabilities. Various attack methods have been developed to quickly crack the standard “username and password” system. Traditional multi-factor authentication (MFA), which uses passwords plus another factor of verification such as an SMS one-time password (OTP) or authenticator app, offers only slightly more protection.
MFA and SSO are both authentication processes but have different focuses and approaches to security and user experience. Here are the basics.
Single sign-on is an authentication methodology where users only need one login to access a suite of services or applications. An everyday example is how a single Google authentication check gives users access to multiple potential Google accounts. The primary purpose of SSO is to deliver a streamlined user experience, improve workflow and reduce time lost to password resets and the actual login process.
SSO also delivers benefits for IT departments. It provides better visibility into user activity and can make it easier to enforce a complex password policy. It also makes it easier to trace and stop attacks.
However, SSO introduces a clear security flaw in that it creates a single point of failure — any hacker that breaks through that SSO point gains access to every connected account. On the same note, if the system becomes compromised or is down, users can’t access their applications.
Multi-factor authentication is a security protocol that requires users to provide two or more types of proof of identity. The three types of identity verification are derived from:
The purpose of MFA is to increase the number of obstacles put in front of an attacker trying to gain access to an account. For example, if a hacker obtained your password in a data breach, they would still need your fingerprint to access your account. Though MFA should, in theory, reduce the risks of a breach, there is a vast discrepancy in the effective security of different authentication factors. MFA implementation methods also affect their degree of security. Any time a shared secret is used in the authentication process, it becomes inherently vulnerable to interception and other forms of attack.
To summarize, these are the core differences between MFA and SSO:
|
Multi-Factor Authentification (MFA) |
Single Sign-On (SSO) |
|
A security protocol |
An authentication methodology |
|
Adds additional factors and obstacles into the sign-on process. |
Seeks to reduce the number of times a user must sign in. |
|
Adds a security layer to passwords, reduces the risk of a breach. |
Makes signing on more convenient, improves workflow. |
The issue of MFA vs. SSO isn’t about choosing one or the other but rather deploying them in tandem to deliver the benefits of both. If done correctly, organizations gain an improved user experience, better visibility, and greater protection against authentication and account takeover attacks. However, uptake remains slow. Microsoft found that 78% of organizations using Azure AD don’t employ MFA.
There are number of reasons why more organizations haven’t leveraged MFA with their SSO, including:
There are other issues with MFA and SSO which could be solved by each other. These include the “desktop MFA gap” for SSO, whereby users must log in to their work device and then into their enterprise SSO. This creates a redundant login and a security gap between device and account authentication, which risks locally stored data and leaves machines open as a vector for attack.
Additionally, any MFA deployed with SSO should eliminate passwords. Passwordless, phishing-resistant authentication is actively encouraged for improving security by regulatory bodies such as NIST, the federal government and the biggest tech companies in the world, including Apple, Google, Microsoft.
While there are SSO providers that claim to provide passwordless authentication capabilities, they’re usually only user convenience features. For example, the user may use a biometric factor to unlock a PIN on the backend, which is then sent to authenticate the user, meaning a shared secret is still used. Only a fully passwordless MFA solution can guarantee the elimination of that vulnerability from your login process. It’s also important to decouple authentication from your SSO to further reduce the risk of fraudulent access.
The best solution for increasing security while improving user experience is to deploy robust, independent passwordless MFA. HYPR’s True Passwordless™ platform delivers secure, quick and easy logins for employees across all major SSOs and IdPs. In addition, HYPR’s secure phishing-resistant MFA can also be deployed on desktop, extending your security perimeter and reducing unnecessary logins.
Reach out to our team to learn more about how HYPR can harden authentication security with passwordless single sign-on.