Keys to the Kingdom: Single Sign-On (SSO) is Under Attack

Single Sign-On (SSO) software provides users with access to multiple applications or datasets without requiring multiple logins. SSO software simplifies the user experience, helps organizations manage risk, and creates efficiencies for organizations and users alike. SSO credentials are often referred to as “the keys to the kingdom” because they provide so much access under one, single credential. 

It shouldn’t be surprising that the keys to the kingdom are under attack.

While there are great benefits to SSO, SSO also creates significant risk for organizations. SSO credentials can be compromised, providing attackers access to a broad range of applications within an organization’s environment. SSO providers themselves can be attacked, compromising customer credentials and/or essential authentication infrastructure. The recent Okta cyber attack is a recent example of a successful and concerning incident targeting a critical SSO provider.

This article contains tips for security and risk professionals to manage risk from their SSO providers and better protect their users’ credentials. 

What Is Single Sign-On (SSO)?

As organizations increasingly rely on a number of different online services and providers, it is hard to generate and maintain credentials to access all these services and keep track of all of those usernames and passwords. 

SSO solutions help organizations and users address these challenges. SSO solutions are an authentication method that enables users to securely authenticate with multiple applications, websites and services by using just one set of credentials. SSO allows a user to log in once and access services without re-entering authentication factors.
 

Many companies have implemented SSO solutions as part of their employees' authentication process. Benefits from implementing SSO include:

• Risk mitigation for access to 3rd-party sites because user passwords are not stored or managed externally
• Reduced password fatigue from different username and password combinations and improved user productivity
• Simpler administration and better administrative control
• Consolidation of heterogeneous networks

3 Tips for Managing Risk to SSO Credentials and Providers

Although SSO solutions come with many benefits, there are several considerable risks that security professionals should immediately address. 

Tip #1: Monitor Marketplaces for Valid Breaches

First, SSO credentials themselves represent a significant risk to the organization. SSO credentials allow access to multiple applications and platforms. Compromising a SSO credential could allow unauthorized access to many different systems within an organization. SSO credentials—from individual credentials to large numbers of credentials – may be compromised by the typical methods attackers employ to target individuals and organizations alike. 

Many dark web markets offer SSO credentials for sale. In fact, the recent Okta cyber attack likely began with the acquisition of compromised SSO credentials. According to public reports, the LAPSUS$ ransomware group bought access credentials to Okta from the Genesis marketplace, a market that provides an avenue for attackers to buy stolen credentials. The credentials acquired were from Sitel, Okta’s customer support provider. Over the past six months, Bitsight has observed an increase in the number of Okta sub-domains for sale on various dark web markets. 

Tip 1: Given the potential impact of having such credentials exposed to malicious actors, security professionals should monitor and scrutinize these marketplaces for valid breaches affecting their organization as well as their broader digital supply chain. 

Tip #2: SSO Providers are Critical Third-Party Vendors

Second, SSO software providers represent a significant risk to organizations. SSO software providers provide infrastructure and service accounts for hundreds of thousands of organizations. SSO authentication infrastructure could be disrupted, rendering systems that the SSO manages unusable. SSO providers may also store organizational credentials within their systems, making them an attractive target for an attacker seeking broad access to many organizations. 

Attackers recognize that SSO providers are an attractive target given their importance in the supply chain. SSO servers and underlying protocols have been targeted by security researchers and malicious actors alike in recent years.

Tip 2: Organizations should consider SSO providers to be “critical” third party vendors and perform robust assessments of their cybersecurity posture, to include continuous monitoring.

Bitsight observes many customers leveraging our platform to identify vulnerabilities and risks resident within the leading providers of SSO applications. We encourage security professionals to proactively identify cybersecurity risks and share information with vendors in order to remediate risk.

Tip #3: Enable MFA On Your Accounts

Third, multi-factor authentication (MFA) is a critical component to reducing the likelihood that a stolen credential can be successfully leveraged. MFA is an authentication method that requires users to provide two or more verification factors before granting access. 

Tip 3: Organizations should work with their SSO providers to ensure that MFA is enabled on their accounts.

MFA is a critical addition to an organization’s security program, providing additional user validation and potentially avoiding risks associated with loss of unique credentials.

By performing these steps, security and risk professionals can appreciate the benefits of SSO while managing the risk associated with these applications.