SSO is dead: Why the age of zero trust demands secure explicit sign-on

Single sign-on's cons now outweigh the pros

SSO is dead: Why the age of zero trust demands secure explicit sign-on

Image:
SSO is dead: Why the age of zero trust demands secure explicit sign-on

One cyber truth has become increasingly evident: the concepts of Single Sign-On (SSO) and zero trust are fundamentally incompatible.

Single Sign-On (SSO) was introduced to balance convenience and security, though in its early days, convenience often seemed to take precedence. But, in today's cyber landscape, the idea that a single entry point can be trusted to secure an entire digital ecosystem is not just outdated; it's dangerous.

SSO hinges on a flawed assumption that a single authentication event is sufficient to guarantee security for all subsequent actions—a dream for hackers and a nightmare for security teams.

The rise of the zero trust security model has made this fact a stark reality. It's a philosophy that no one – whether they are inside or outside of your network – should be trusted by default. Every action, every request, every device must be explicitly authenticated, authorised and validated. As such, where there is SSO, zero trust cannot exist. This is where Secure Explicit Sign-On (SES) comes into play – but more on this later.

The era of implicit trust is over, and businesses need to take note.

SSO's cons now outweigh the pros

Authentication is a crucial aspect of any cybersecurity solution, and it ensures that only authorised users can access a business's digital infrastructure.

Single Sign-On (SSO) simplifies the login process by allowing users to authenticate once and then gain access to multiple applications without needing to log in separately each time. For example, after logging into a Google account, users can access Google services like Gmail, Drive and Docs without re-entering their credentials. However, without SSO, moving between different platforms - like going from Google to Salesforce or Jira - would require separate logins. SSO enhanced the user experience by reducing the need for multiple authentications across different applications.

SSO simplifies this by letting users log in once to access all their apps and data - however, it still requires users to re-authenticate themselves they go to

While nearly 87% of companies in the EMEA region rely on SSO solutions, this convenience comes at a dangerously high cost: a single point of failure. If attackers exploit an SSO system, they can access data or linked services with just one breach, just like in last year's Okta attack.

This vulnerability starkly exposes why SSO's limitations are more than just problematic—they're a ticking time bomb. However, little seems to have been done to remove the threat that SSO systems present, even with the rise of the ‘zero trust' security model.

SSO compromises the zero trust security model

But what is zero trust? Well, the US National Institute of Standards and Technology (NIST) defines it as a security model that operates on one key principle: never trust, always verify.

Unlike traditional security models that assume that a user who knows an account's passwords and credentials is inherently trustworthy, the zero trust security model means that a cyber security solution is authenticates the every user and device, for each service they wish to access. This means that access is granted but then re-verified every time that a user accesses a service.

Recent statistics show that 63% of companies have adopted this zero-trust cybersecurity approach, with many more likely to follow in the coming months and years. However, despite the shift toward zero trust, many businesses continue to rely on SSO – like unlocking the front door allows access to all doors thereafter. It's pointless from a security point of view.

Secure explicit sign-on (SES) provides a way forward

As a result, the industry now needs to make secure explicit sign-on (SES) the norm, as it provides a much more robust authentication framework that better aligns with the continuing shift to zero trust.

Indeed, unlike SSO, SES operates on the principle of explicitly verifying a user's credentials and device security at every interaction with a company's digital infrastructure. This approach combines the user-experience of SSO but relies on the zero trust model and requires the user to authenticate explicitly.

Same-device MFA makes this possible by asking the user to unlock their device for each application or service. Since it requires the user to simply unlock their device to obtain access using public key cryptography based on asymmetric keys, it provides seamless user experience along with military-grade security.

This limits the risk of a single point of failure, and more closely aligns with the zero trust approach to security.

Implementing SES

Now, I can already hear the collective groan: switching to a new form of authentication sounds daunting, particularly if it means being chained to repeated password entries.

Fear not. The approach I am proposing comes with another important detail – we need to eradicate passwords immediately. Passwords not only offer multiple infection vectors for criminals—such as credential phishing and password-based attacks—but are also entirely unnecessary.

Transitioning to an SES-based and passwordless authentication system is far from the impossible task that many so-called experts and industry leaders would have you believe. The technology, known as Multifactor Authentication (MFA) 2.0, is already available and can address many of the issues we've discussed.

Indeed, SES means repeated authentications, but by using MFA 2.0, this is no longer an issue, as it removes the need to input a password altogether. Instead, MFA 2.0 grants users' access by using a PIN or biometric data, such as a fingerprint.

As such, it only provides access to accounts and data to users on trusted devices, by trusted users (who are identified by biometrics, rather than passwords) and under the user's total control.

What this means is that the system knows that the user communicating with it from their device is definitely who they say they are, not just someone who knows the accounts password and credentials. Therefore, the only way that a bad actor could gain access would be by being in the same room as the user, eliminating the risk of a single remote entry point completely.

Final thoughts

To wrap up, SSO transformed cybersecurity by simplifying access and improving user experience. But as threats evolve, relying on SSO is no longer a safe option—it's a significant security risk.

The future of cybersecurity hinges on Secure Explicit Sign-On (SES) paired with MFA 2.0—a combination that ensures not just security, but also the convenience that modern businesses demand. The era of implicit trust is over; it's time to prioritise security with SES and MFA 2.0.

Al Lakhani is CEO of IDEE