5 best practices to secure single sign-on systems

Don't assume that SSO is inherently secure. Follow these recommendations to prevent unauthorized access due to authentication flaws.

An obscured password is displayed on a monitor.
G-StockStudio / Getty Images

The recent “Sign in with Apple” vulnerability earned a researcher $100,000 as a part of Apple’s bug bounty program. The flaw itself arose from an OAuth-style implementation that did not properly validate JSON Web Token (JWT) authentication between requests. This would have allowed a malicious actor to “Sign in with Apple” using anyone’s Apple ID.

The seriousness of the flaw, how simply it was caused, and how easily could have been prevented suggests that you should review the single sign-on (SSO) implementations used by your enterprise systems to see how to better secure them. Single sign-on (SSO) is a centralized approach to authentication and authorization. It improves overall security and user experience (UX) by relieving the end user from repeatedly signing up or signing into a service.

Typically, authentication flaws like this one can occur due to lack of a proper security audit of the workflow. Also, when identity management products are procured from vendors without verifying if they strictly conform to industry specifications, blunders like these can occur. These are the safeguards you need to have in place:

Perform security audits during SSO procurement

Aaron Zander, head of IT at HackerOne, notes that since OAuth is an open standard, everyone has responsibility for improving it. “For the enterprise world, most use tools like Okta, Azure AD SSO, Google’s offerings, or any of the other half dozen or so major vendors that are out there. All are built leveraging OAuth, Security Assertion Markup Language (SAML) or System for Cross-domain Identity Management (SCIM), all of which are open languages that depend on other hardening techniques, like X.509 [encryption] certificates, to stay secure.”

To continue reading this article register now

The 10 most powerful cybersecurity companies