We’re often asked about single sign-on (SSO) solutions here at 1Password. We get questions like ‘Can we use 1Password and SSO?’ and ‘Why do we need 1Password if our organization uses SSO?’
I’m about to cheat and answer (hopefully) every question at once: You absolutely can (and should) use 1Password alongside a single sign-on solution. Let’s start with a brief overview of the fundamentals.
SSO, identity access management (IAM) solutions, and password managers are often conflated because they have similar high-level protocols: one login provides access to multiple accounts. While SSO and password managers aren’t the same — they aren’t mutually exclusive, either.
SSO solutions allow users to authenticate with one username and password and use the same login session to access other websites and services. 1Password, at its core, is a password manager that allows users to securely store, fill, and share (if they choose) credentials, personal information, and documents.
Now, let’s explore all this in more depth.
Cover the bases
SSO and 1Password make a great team and, when they work together, they go a long way toward risk reduction.
I’m a sports fan, so let’s use a fun (maybe) analogy since I seem to be well on my way to another post littered with figurative language.
Imagine your roster is stacked. You won the draft lottery the previous year and signed the league’s top center/quarterback (choose your own adventure here) in the off season. You have a big advantage, but you let your guard down and play loose. Before you know it, your opponent scores and you lose the game. If only you had that two-way offensive defenseman/attacking defender…
The point of my colorful parallel is that, while your attack surface may be reduced when you use SSO - people will have fewer passwords - it’s definitely still vulnerable. Particularly because shadow IT is real. Beyond the accounts ITOps are aware of lie many they know nothing about. But when 1Password is implemented alongside an SSO, the logins created outside the SSO - and the login for the SSO, for that matter - are much stronger.
The strength (or entropy) of passwords doesn’t increase magically, though. 1Password has a built-in Smart Password Generator that automatically suggests passwords for new accounts as they’re created. It’ll do the same for existing accounts, too, if people want to strengthen current passwords. And, as we know, strong passwords used throughout an organization help guard against a variety of things, including brute-force and password reuse attacks.
Apart from the automatic suggestion of complex and unique passwords, each password created by the generator is saved automatically — safe and secure. Ah, what a fantastic segue.
Fill the gap
There are fewer passwords for your team to manage with SSO, and the passwords people do have need to be stored properly. Which brings me to another question we receive quite often that I didn’t mention at the beginning.
“Isn’t the data saved in 1Password protected by only one password, just like SSO?”
No. Decryption of 1Password data requires a combination of the 1Password account password and Secret Key. The Secret Key is an effectively uncrackable, high-entropy secret generated when an account is created. Even if someone were to guess an account password, the data is inaccessible without the corresponding Secret Key.**
And 1Password security extends far beyond the encryption process. While Watchtower provides active protection, we’ve added other features that help prevent phishing, and protect from keyloggers and browser-based attacks.
Every single thing saved in 1Password is secured the same way — including that SSO login. SSO wasn’t built to secure the data in the session it provides access to. It just wasn’t. As with any great partnership, though, the parties involved complement each other, and 1Password fills that space.
All good things
Single sign-on solutions do exactly what they were created to do - securely identify users to mulitple websites with one login - wonderfully. But SSO as a whole is a bit of a one-trick pony. 1Password, however, is kind of a unicorn.
Like a lot of password managers, 1Password allows people to safely store credentials, notes, and documents; generate secure passwords, and fill fields and forms with the information they’ve stored. Those are just the basics.
The SCIM bridge allows for easy deployment, permissions are highly customizable, and there’s Secrets Automation.
But my favorite 1Password hallmark is its ability to follow me from one device to the next. I can generate a password on my MacBook Air, fill the password (that was saved automatically) on my iPhone a few minutes later, then find and edit the entry on my MacBook Pro or PC later in the day. The handoff process is always quick, seamless, and safe.
1Password also acts as an authenticator for sites with two-factor authentication. And what’s required by many SSO solutions? Two-factor authentication.
Now, as much as this post is not about competition, but cooperation, I’d be remiss if I neglected to address how privacy is handled, since it’s an area SSO and 1Password overlap.
When an item is stored in 1Password, there’s no way for anyone, including those of us at 1Password, to know what the item is. And when you fill that item so you can log in to the most embarrassing fan site imaginable (choose your own adventure again), we don’t know about it. The same can’t be said for a single sign-on solution.
SSO providers learn what you log in to and when. This may be fine for an organizational SSO - the company already knows what’s in use - but it may not be the right call for absolutely everyone.
Just something to consider if I still haven’t swayed you from Camp Either/Or.
Even with the strength of a single sign-on solution in place, organizations have secrets. And 1Password is the best password manager to help create, manage, and protect those secrets.
You may come across articles out there that pit SSO and password managers against one another, or try to convince people to use one solution or the other. Those posts are doing readers a disservice.
SSO and password managers fill different roles. They work wonderfully together to mitigate risk, secure secrets, and provide versatility for many other business-related tasks. You don’t need to - and, like I said before, shouldn’t - choose between the two.
They’re a perfect match.
** An extremely condensed and simplified version. Please dive deeper in our white paper.