We’ve all seen those “login using Facebook” buttons on some of our favorite sites. The ability to use one account as the sign on for another has been a key part of the evolution of digital identity. This is called single sign-on (SSO) and it can be very convenient. However, there’s a lot that goes into the development and security of SSO, and we should understand both how it works, and how it could be made more secure, before we start using it across all of our online accounts.
What’s an Identity Provider?
When a company is able to provide SSO capabilities, it means they have become an identity provider. This means their account credentials, be it Google, Facebook, or a private company, are able to be used across numerous accounts because they’re a trusted vendor who’s considered to be a reliable source of identity.
That’s why when you create a Fitbit account or log into Disqus to comment on this post, you’re able to do so with a variety of accounts instead of creating a new one. This is primarily a benefit of convenience – less passwords to remember, and less accounts to keep track of for the end user. But it also means that if one account is compromised, all of them could be.
Imagine that you use Facebook as your SSO provider, linking that account to 12 others for logging in. Then you give your Facebook password to a friend for some reason. That friend now also has access to those 12 other accounts, some of which you might want to be private. In this instance, of course, the friend would need to know that you used your Facebook account to log into those sites, but that’s actually easier than it seems. So while SSO is convenient, it isn’t very secure. But it could be.
SSO & MFA
Multi factor authentication (MFA) can provide a serious increase in security for SSO by requiring additional parameters to log in. Two-factor authentication (2FA) would require a one-time password to be used, but MFA combined multiple factors – a smartphone or biometrics – to be used when logging in from a new location or device.
Adding in multiple authentication factors helps to prove the identity of the person logging, and when combined with SSO can reduce the risks highlighted above. However, adding multiple authentication steps to SSO seems to reduce the convenience of it, doesn’t it?
Bringing Convenient Biometrics to SSO
This doesn’t have to be the case. With the right platform, you can make biometrics the SSO option, using the same mobile app to capture face or hand recognition and use that to authenticate into numerous accounts. The key is leveraging a biometric authentication platform that has SAML capabilities for acting as an identity provider.