Single sign-on isn't enough: closing the SSO security gap

Consider these stats:

• 34% of employees use unsanctioned apps.
• 61% of employees have poor password practices.
• Credentials are the #1 way attackers gain access to systems.

Let’s connect those dots. According to 1Password research, more than one-third of the apps employees use for work are unsanctioned, meaning IT and Security don’t know about them. That’s shadow IT, and because you don’t know about them, you can’t put those logins behind SSO.

The same research found that most employees have poor password practices like using weak passwords, or reusing them across multiple services.

Finally, credentials are still the primary method for attackers to gain access to systems.

So, employees are using weak or reused passwords to log in to unmanaged and unprotected services, leaving attackers' favorite entry point – credentials – vulnerable.

SSO solutions can help, of course. But reducing your attack surface means understanding what SSO protects – and what it doesn’t.

SSO is necessary

SSO providers like Okta or Microsoft Entra ID put user access for managed applications behind a single, strongly vetted identity. That strengthens your security posture while making it easier for employees to follow security protocols:

• Single sign-on shrinks your attack surface by reducing the number of passwords in circulation.
• Fewer passwords in circulation means fewer password reset requests for the IT help desk, and fewer passwords to manage, lessening the need for employees to get creative.
• SSO services bring all covered logins under one umbrella, so security policies can be applied to all managed services at once.
• Provisioning (onboarding and offboarding) gets simplified, too. IT can place employees in groups, then configure access at the group level to give new hires instant access to an entire suite of services, or revoke access for departing employees.

But it’s not sufficient

When employees sign in to unsanctioned apps with insecure passwords, SSO doesn’t help with that problem. Security professionals know this: Identity is the new perimeter security teams are tasked with defending, and 69% of security pros say SSO isn’t a complete solution for securing employee identity.

Think of it this way: With an SSO provider in place, do password spreadsheets and post-it notes still have a role to play?

Yep. As long as employees need to create and manage passwords, they’ll find ways to… well, create and manage (or simply reuse) those passwords. And if the company doesn’t provide a way to do that securely, employees are left to devise their own methods. Those methods are often insecure, leading to vulnerabilities for the company.

Employees' first priority is productivity – not security

To recap: SSO doesn’t secure every login. As long as there are stray logins SSO doesn’t cover, employees will be forced to manage those logins themselves.

But security isn’t a top priority for employees. The 1Password State of Enterprise Security Report 2024 also revealed that 54% of employees say they’re lax about company security policies. 44% say security would be less of an issue if leaders made tools easier to use and policies easier to follow.

And yet fewer than one in 10 security pros (9%) say employee convenience is the top consideration driving their security software decisions(!).

This creates a situation where employees share the responsibility for the security of the company, but aren’t given the necessary tools to carry out those responsibilities.

Of respondents to the 2022 Gartner’s Drivers of Secure Behavior Survey, 44% acknowledged that they are ultimately responsible for managing their cyber risk exposure in the enterprise. Meanwhile, 67% admitted to using the same password for multiple accounts. — Innovation Insight: Workforce Password Management Tools (Gartner, 2024)

And that’s just the basics of creating and storing strong passwords. What happens when they need to share them with a colleague, or a contractor?

Enterprise password managers protect the logins that SSO doesn’t

The answer is an enterprise password manager (EPM) like 1Password. 1Password gives employees a way to create, store, and manage all those logins that SSO doesn’t cover.

And it makes doing so easier for employees than managing them on their own. No need to resort to post-it notes, password spreadsheets, or other insecure methods.

We’ve found that once people understand the concepts, which doesn’t take long, it’s a really smooth transition. I’d chalk that up to the user experience in 1Password, which we clearly think is superior to every other product we’ve looked at. — Nick Tripp, IT Security Office Senior Manager, Duke University (Duke tripled password manager adoption after switching to 1Password.)

Suddenly, it’s easier to manage and share logins in a secure way than it is to leave employees to fend for themselves. IT and Security get what they want (strong security) and employees get what they want (convenience). No more competing priorities.

The best of both worlds: Combining SSO and an EPM

So SSO secures sign-ins for managed applications. 1Password secures sign-ins for everything else. And you can combine the two to secure every sign-in, simplify the employee experience, and unify your security policies.

When you integrate 1Password with your identity provider – otherwise known as unlocking 1Password with SSO – employees no longer have to remember even their 1Password account password. Instead, they can sign in to 1Password using their SSO provider, thus gaining access to everything protected either by SSO or by 1Password with a single login.

And with Unlock 1Password with SSO enabled, admins can extend their existing security policies to everything stored in 1Password. Now those policies apply both to SSO-enabled logins and those that SSO doesn’t cover, so things like two-factor authentication requirements can also be applied to unmanaged services.

The protection enterprise password managers provide against phishing is also worth mentioning. If a user clicks a link in an email, EPMs will only autofill user passwords on the correct URL. For example, 1Password would only offer to autofill google.com and not goog1e.com.

1Password Extended Access Management: Secure every sign-in to every app from every device

1Password Enterprise Password Manager secures every sign-in from every device. 1Password Extended Access Management goes further. Extended Access Management (XAM) is an entirely new category of security software designed to extend access management to every identity, device, and application.

XAM goes places traditional identity and access management (IAM) can’t – specifically, to every device employees might use for work. As remote work and bring-your-own-device (BYOD) proliferate, and the number of SaaS applications we use for work increases, 1Password Extended Access Management covers those bases.

1Password® Extended Access Management combines four aspects of access management into one easy way to secure your business:

• User Identity extends single sign-on to every application, including unsanctioned apps.
• Device Trust keeps unknown and wounded devices away from your sensitive data, and gives employees a way to fix vulnerabilities and regain access without involving IT.
• Application Insights gives admins visibility into the applications employees are using, so they can guide users towards company-approved applications, or manage access to unmanaged applications.
• Enterprise Password Manager rounds it all out with the benefits we’ve discussed in this article (among many others), starting with securing every set of user credentials.

For a full walkthrough of 1Password Extended Access Management, check out the on-demand webinar.

Business security doesn’t have to be this hard

Both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) flavors of SSO protect sign-ins to managed applications. 1Password Enterprise Password Manager protects virtually everything else. And 1Password Extended Access Management extends that security to every identity, every sign-in, and every device.

To see for yourself how easy strong security can be, get started with a free 14-day trial of 1Password Business. Or, reach out to request a demo of 1Password Extended Access Management.

Rob Boone

Content Marketing Manager