It’s very common to hear the terms “single sign-on” (SSO) and “password management” in the same sentences nowadays.
In 2022 (and in the context of a cloud directory platform like JumpCloud), SSO is a very timely topic. It’s quickly become the gold standard in our Identity-focused world for its security and convenience. SSO allows users to traverse apps, services, and devices, while only having to sign in one time.
But before SSO, password management has had a proven track record of success in enterprise and MSP settings. This leads to a question we get asked a lot here at JumpCloud: which one should I implement in my MSP: SSO or password management?
With the arrival of the JumpCloud Password Manager™, we can comfortably offer some insights and recommendations on the best choice for MSPs. Let’s take a look at some of the tangible benefits and drawbacks of SSO, and how password management can fill in the gaps.
Benefits of Single Sign-On
Single sign-on greatly increases your customer’s security by narrowing the attack surface from hundreds of users with multiple logins to myriad apps to just one login per user for every application. It also improves user efficiency by allowing them to avoid inevitable forgotten passwords and logouts, and reduces MSP’s password-related help desk tickets.
Security Against External and Internal Threats
As an MSP, you and your customers are under constant attack from external threats. Cybercriminals look for any and all possible points of weakness in your defenses, knowing that a single successful grab of credentials from any user can cost you millions.
Consolidating logins into one core identity with SSO drastically reduces this attack surface. Instead of monitoring countless logins for many apps, with SSO you only have to protect a single vector: an account based in a directory like JumpCloud. Guarding this account with MFA and conditional access policies can stop many of the most common attacks dead in their tracks.
A large amount of an MSP’s energy and overhead goes into protecting themselves and their clients against outside threats. But an internal bad actor can cause irreparable damage to an enterprise when proper precautions are not put in place too. Every SaaS tool you add to your customer’s tech stack without SSO adds one additional account you’d need to secure in the event of a rogue user – and one more opportunity to fail at revoking access in time.
Increased Efficiency and Standardization
Combining access to multiple apps and services using SSO improves the daily lives of end users. Researchers found that employees interact with an average of 9.4 apps in a normal day’s work. Juggling multiple passwords without SSO and logins can lead to potentially gaping security holes – and increase your number of forgotten password tickets.
The top two behaviors fostered in an environment like this are overly simple passwords, and reusing the same password across multiple accounts. More than likely, the businesses your MSP manages have many users doing both at the same time!
Not only does this cause security issues, but credential juggling also leads to headaches in daily routines, like when a password expires or needs to be reset. And spoiler alert: most users just add a “!” at the end of their current password when it’s time for a change.
Not only are multiple passwords frustrating for users and a security risk for the business, but without SSO, it sometimes takes weeks or even months for new hires to gain access to the correct apps. That’s because new employees generally don’t know what apps they need until they need them right now. This leads to a cycle of new employees suddenly realizing at the last minute they don’t have access to an app they need for a task, and then putting in an urgent ticket request to gain access. But depending on the approval process for the given app, it can take several hours (or even days), to get new user access. This frustrates the user – and makes the MSP look inefficient and unprepared.
Limitations of Single Sign-On
SSO is great, but it’s not perfect. The benefits above might be compelling enough for most people to slap down a wad of cash and say “I’m in!”, but sometimes SSO simply doesn’t make sense. For one thing, there’s an upfront cost to single sign-on. And it’s not compatible with every service.
Often Available Only in Premium Subscriptions
In subscription-based models, SSO is frequently “paywalled” so only higher (or the highest) license tiers can access it.
The practice is so prevalent that there’s actually a website highlighting the vendors who do this – including several who cater specifically to MSPs. The price hike to access SSO can be steep, leading many MSPs to take their chances with security and efficiency instead of investing in its benefits.
Not a Fit for Every Use Case
Sometimes, SSO does not fit the use-case for the account or service in question, like when global admins or social media accounts are shared by multiple users or teams.
Consider a company social media account that the PR Manager, the Marketing Director, and the Social Media Manager all need access to. But the multi-factor authentication (MFA) controls on this account only allow you to put in one user’s mobile number to receive the push notification login confirmation. Say it’s the Marketing Director’s information, but they’re on vacation. Now, the PR Manager and Social Media Manager have no way to manage the account while the director is out. Shared account situations rarely work in the context of SSO.
Not a Fit for Every App or Service
Thankfully this is becoming a rarer issue. But as an MSP, it’s possible you may have to
provide support for an older service that does not support SSO at all, where the only authentication is a username and password.
This is most common in “Line of Business” or legacy apps, which may never support SSO because the vendor would first have to migrate to a cloud-based model. It’s also not uncommon for certain businesses to rely on locally-hosted, bespoke solutions that would require an extremely costly redesign to support SSO.
Password Management: the Solution to SSO’s Limitations
Password Management has been a mainstay of the tech world for the past decade, and it’s well on its way to becoming a billion dollar industry in the next few years.
While SSO adoption has been steadily increasing, here at JumpCloud one of our top customer requests has still been for a password management solution. We believe meeting each business’s unique needs isn’t about creating a “one-size-fits-all” cloud directory solution, but about taking an intentional, multi-faceted approach to solving each problem with the right tool. This led us to where we are today with the introduction of JumpCloud Password Manager, the perfect compliment to our SSO solution.
If you haven’t taken our Password Manager for a spin yet, learn more about it on our website or read about it on our blog. With a unique approach to data security, a deep integration with our cloud directory, and a myriad of apps and extensions available, JumpCloud Password Manager is ready to augment your SSO implementations with ease.
Password Manager is not designed to replace SSO; rather, it works alongside it to bring MSPs the utmost in affordability, flexibility, and security in situations where single sign-on isn’t a viable solution. Let’s take a look at how Password Manager closes single SSO’s gaps.
While many directory solutions have implemented the “SSO Tax” to make this feature only available to high-spending customers, password management is significantly more affordable.
For our partners using JumpCloud for MSPs for example, Password Manager is included alongside many other features at no additional cost. This makes it incredibly easy to build out offerings for your customers that make sense for your business and their needs.
Works for Shared Accounts
The JumpCloud Password Manager is designed with 2 important functions in mind:
- To help users save and autofill their passwords and 2FA tokens
- To empower teams to share passwords and 2FA tokens
Everything from a Global Admin account to the company social media accounts can be shared with multiple users via JumpCloud Password Manager. Users can access these logins from any device and on any browser.
Safely Share and Revoke User Privileges
Every MSP has come across a random sticky note on a customer’s machine that prominently displays the most dangerous password imaginable; the kind of login information that would literally sink the business if it got into the wrong hands. This terrifying practice is usually due to customers not having a better way to securely and easily share this information with other users in real-time.
With JumpCloud Password Manager, users can securely access and share these passwords with their teams. And they can do so knowing that when they send your technicians a ticket to disable a user account, their Password Manager access is revoked alongside all other SSO capabilities.
Try JumpCloud Password Manager Today
In the end, it is important to address complex issues like authentication and security from multiple fronts. While SSO can be regarded as the ideal solution, it does not check every box sufficiently and can come with its own set of drawbacks. Password management addresses those blindspots and augments user experience and operational security all in one effort.
With the arrival of the JumpCloud Password Manager, you can now get the best of both worlds within a single platform. For more information about the JumpCloud Password Manager, check it out on our website or speak with your account manager today!