Single Sign-on (SSO) Password Managers: Are they safe?

Passwords are the weak point of any secure system. Password reuse is incredibly common, as is choosing simple, easily guessable passphrases. This is hardly a surprise – one report suggests that the average American will have 300 online accounts by 2022, each protected by a password.

Most people choose to reuse passwords because they can be sure that they will be remembered. Worse still, memorable passwords are relatively easily cracked, leaving the user (and the system) vulnerable.

Password managers – a magic bullet?

Single sign-on (SSO) password managers promise to solve this problem. Users can auto-generate a strong, unique password for every application or website – and the password manager will remember it for them. Better yet, all of the passwords are fully encrypted; if a hacker does manage to steal the keystore, the data itself cannot be recovered.

The user just has to remember a single master password to access the application.

Significant potential benefits

Being able to use unique, strong, unguessable passwords is obviously a significant improvement over the current situation. Because there is just one master password, the number of potential attack surfaces available to hackers immediately decreases. SSO also helps to reduce operating overheads, freeing up resources for other projects and priorities.

Are there any risks with SSO password managers?

The SSO password manager upholds one key IT security principle – the use of strong passwords. At the same time, it breaks another – relying on a single password for access creates a potential single point of failure. If hackers do manage to obtain the master password, they have the keys to the kingdom, full access to all accounts stored in the app.

A single point of failure in any system is undesirable, particularly when it relates to security. Before deploying an SSO password manager, your business needs to carefully consider whether this falls within your risk tolerances.

It’s also important to realise that SSO password managers are not infallible. Hackers have successfully compromised services like OneLogin, stealing customer data and the tools required to decrypt it.

Going beyond SSO

SSO can be strengthened by using multi-factor authentication (MFA) and contextual security – however, passwords may soon become a thing of the past. The self-sovereign identification (SSI) component of blockchain technologies provides an alternative to traditional username/password logon methods.

A user’s unique device (laptop, smartphone, tablet etc) can be issued an encrypted certificates that is stored alongside their SSI in the blockchain public ledger. When they attempt to access a protected asset, the website/app checks the device against the public ledger and grants access automatically. Everything “just works”.

Again, this system is not infallible – if a physical device is stolen, the thief may be able to access the protected resources. Using MFA may be an option, ensuring that a compromised device cannot be used without secondary confirmation.

The beauty of blockchain for passwordless authentication is its flexibility. Every user is assigned both public and private IDs that can be checked and verified by any other blockchain user, but they will never be able to identify an individual because they can only check that the public ID is legitimate.

This system allows developers to build extremely secure, passwordless applications, safe in the knowledge that all users are legitimate – and that hackers cannot gain access by simply guessing passwords.

To learn more about the future of passwordless authentication – and why an SSO password manager isn’t quite secure enough for your needs, please get in touch.