Single Sign On in the Eyes of a Hacker

Last updated: 17 May 2018

By: Jason Hart, CTO, Gemalto Enterprise & CyberSecurity


Querying an unprotected database Single Sing Onis one of my favorite ways to get a crowd’s attention, moving from a simple Google search to a list of unencrypted usernames and passwords. Of course, when it comes to passwords, there are many other tricks in a hacker’s bag: Circulating phishing emails, running brute-force attacks or getting people to install malware that steals anything they enter into their browser. Malware kits and password cracking tools are affordable and widely available on the dark web.

My work as an ethical hacker and founder of WhiteHat Security, an infosec consulting firm, more than a decade ago led me to recommend clients to implement two-factor authentication (2FA). Putting my money where my mouth was, in 2006 I used WhiteHat Security as a vehicle to acquire CRYPTOCard, along with the help of a few angel investors. At the time we acquired CRYPTOCard, it was a traditional, somewhat cumbersome, on-premises 2FA solution. The core objective and key vision for that acquisition was to take something very complicated—namely 2FA—and make it very, very easy for people to consume.

Serving as the CEO of the newly-acquired company, this vision gradually took shape with the hard work and development of engineers, until it finally materialized. We took a traditional, on-prem 2FA solution and turned it into the world’s first cloud-based authentication service, known today as Gemalto’s award-winning SafeNet Authentication Service. Unlike other solutions on the market at the time, the service was elegant, fully automated and 100% cloud—installing with an organization’s existing infrastructure.

Fast forward to today, and the proliferation of cloud-based applications has only exacerbated the password problem. Underscoring the havoc wreaked by unprotected identities, the Breach Level Index shows that 67% of all data breaches can be categorized as identity theft. Identity proliferation has also given rise to password fatigue, ineffective administration and compliance risk.

Case in point, how many of you have left a company, only to retain your access credentials for the corporate webmail or cloud service? A recent joint Ponemon-Gemalto survey found that on average, companies today use 27 cloud apps. That’s 27 consoles from which to revoke or troubleshoot employee identities(!).

Unsurprisingly, to contend with this password pudding, four in ten IT decision makers have already implemented cloud single sign-on as an access management capability, according to the 2018 IAM Index. SSO shakes off the burden of passwords from users and sheds off hours of lifecycle administration for IT. Individuals can access all their 20 or 30 apps with a single username and password, and IT can define and enforce policies from a single pane of glass.

But there’s one caveat in the midst. While convenient for end users and efficient for admins, single sign-on does pose a security risk. If that single identity is compromised, hackers can access all of a company’s applications unfettered. Access management goes and takes SSO a step further.  By letting you step up authentication before launching a single sign-on session, and even after launching it, you can elevate security where you think it’s needed. In this way, access management offers users the utmost convenience without sacrificing security.

Generally, access management combines four key capabilities: single sign-on, multi-factor authentication, access policies and session management. Working as a trusted identity provider, access management solutions centrally process authentication requests, relaying an accept or reject response to unaffiliated websites, such as Office 365, AWS etc. This kind of central identity verification elevates the level of assurance that a user is who they claim to be.  When you log in to a new website with Facebook, Google or Twitter, that’s the new website using Facebook, Google or Twitter as their identity provider. (This kind of integration is performed using an API or an identity federation protocol such as OAuth).

I am confident that thanks to innovations like FIDO, Windows Hello, biometrics, Mobile PKI and contextual authentication, within a decade passwords will be minimized—if not altogether eradicated. Until then, specialized identity providers provide important advantages, such as taking extra precautions to secure your company’s hundreds, thousands or millions of identities. Using strong encryption and key management, an identity provider ensures that your identities and access credentials are kept safe.

Should a cloud service be hacked or a phishing campaign run amok, an identity provider will protect your company’s identities and render passwords insufficient to access your most important assets, keeping them confidential and intact. By providing strong authentication, for example in the form of a one-time passcode (OTP)—any attack against static passwords is rendered useless, since the perpetrator would still need to provide the OTP. Combined with contextual attributes, multi-factor authentication could even be used to eradicate passwords altogether.

Considering the mega breaches of cloud service providers (e.g. Yahoo) and their lack of expertise in protecting identities with things like hardware-based encryption and key rotation, enterprises would be well advised to leverage the best of all words—the quickest time to value with all flavours of cloud, and the best in security technology from expert identity and data protection providers.

If you’re concerned about keeping your data safe in virtual, cloud and hybrid environments, this is the time to get educated.  Learn how to manage the new identity perimeter, or even try our data protection as a service solution now for free. With our latest cloud-protecting services, including SafeNet Trusted Access and Safenet Data Protection On-Demand, it’s never been easier.


Leave a Reply

Your email address will not be published. Required fields are marked *