Is Single Sign-On (SSO) Secure?

By Zach DeMeyer Posted October 12, 2018

Is Single Sign-On (SSO) Secure?

As if 2018 hasn’t been a tough enough year on Facebook, it was released in late September that the social media giant was breached. The compromise itself was due to predators pouncing on several zero-day vulnerabilities, but it ultimately caused anguish and confusion for over 30 million Facebook users. The breach has also led several people to ask questions about Facebook, as well as identity security in general. Specifically, some are wondering, “is single sign-on (SSO) secure?”

Why That Question?

You may be wondering why, in a discussion about a Facebook hack, we would bring up SSO, but the two are more intertwined than you might think. Facebook has a number of partnered properties, including services such as Spotify, that link directly to a person’s Facebook account. By using their Facebook account, people can log into a variety of services with one identity. In practice, this functionality is quite convenient, but after those identities have become compromised, it becomes a source of worry.

Facebook isn’t actually an SSO solution for businesses, however. Compared to the vast field that is SSO, Facebook’s single sign-on functionality is more a trite novelty than a true, full-fledged solution. So, it’s unfair to ask if single sign-on is secure just because a non-player in the scene got breached, when in fact the entire SSO industry is actually dedicated to creating secure centralized identities.

The Actual SSO Market

The SSO space is filled with Software-as-a-Service (SaaS) solutions that bridge the gap between a user identity (usually from a directory service like Microsoft® Active Directory®) and web applications like Salesforce, GitHub, Trello, etc. While this is very similar to what Facebook’s “SSO” can do, the implications can have a far greater impact. Generally, these SSO solutions are leveraged by organizations looking to protect their sensitive company data by regulating and monitoring access via a directory service. With an SSO solution, companies can limit the attack vectors created by forgotten or inadequate passwords. By this definition, single sign-on actually promotes security, as opposed to compromising it.

How secure is SSO actually?

Unfortunately, the traditional SSO model only allows authentication and authorization to web apps. But, what if I told you that there is a next generation single sign-on solution that could federate user identities not only to web apps, but to systems, networks, files, and more? This concept of True Single Sign-on™ uses one centralized identity to provide access to almost any IT resource imaginable, and is available from JumpCloud® Directory-as-a-Service®.

JumpCloud®’s Secure True Single Sign-On™

JumpCloud revolutionizes the idea of secure single sign-on by combining SSO with a platform-agnostic, cloud-based directory. Directory-as-a-Service leverages the LDAP and SAML protocols to securely connect users to their on-prem and cloud-based apps, as well as hyper-secure WiFi networking with RADIUS. Since it’s a cloud directory service, any JumpCloud user can reap the benefits of hypersecure True SSO across their systems as well, be they Windows®, Mac®, or Linux®.So, is single sign-on secure? Well, Facebook’s will now get a lot of attention, but the cloud identity mangement industry is working hard to create secure identities. To learn more about True SSO, contact us or check out our YouTube channel. You can also see True SSO and everything else Directory-as-a-Service has to offer by trying JumpCloud for free. There’s no credit card required, and signing up comes with ten users free forever to get you going

True Single Sign On
Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts