Does Your SSO Behave?

Does Your SSO Behave?
category: News I.S.D.D. plus

The use of passwords has penetrated most aspects of our daily lives. Whether work-related or personal, every day many of us encounter new websites, applications or services which require new accounts and the passwords that go with them. Some reports show that the total amount of passwords will surpass 300 billion this year. Dashlane reveals that it has nearly 200 passwords per average user, and even conservative research points out that the average person has 70-80 passwords.

However, according to the “Passwords Usage and Human Memory Limitations” survey, we are not capable of remembering more than four distinct and secure passwords on average. It is no wonder that users give up on best security practices and create easy passwords or reuse the same passwords across different accounts, often mangling private and company credentials in the process. Such habits can lead to disaster.

Figure 1. Data breaches that leaked over 10 million records between 2004 and 2020-to-date

As I pointed out previously, a worthy investment for any company is to implement single sign-on (SSO), which can also help battle the problem of transparent password usage. Despite SSO using only one set of credentials for authorization, it is more secure compared to separate logins across multiple applications. But even with company-wide SSO, there is still at least one account that you need to protect.

So, what other security options do we have besides username and password? I will introduce our approach, which employs adaptive multifactor authentication, passwordless options, and some more advanced possibilities that we are currently working on.

To Know, to Have, to Be

Our own SSO enforces multifactor authentication (MFA). As pointed out above, legacy passwords (something you know) are vulnerable to a wide variety of attacks. Therefore SSO will also verify something that you have (a possession), who you are (your biometrics), or where you are (a location). A combination of such factors can provide appropriate levels of assurance and accountability.

Authentication taxonomy

Figure 2. Common user authentication methods

In this diagram, behavioural, spatial and temporal methods are seamless to the user, making the overall experience much more convenient. Behavioural biometrics is not a new idea; it actually dates back to the 1860s with the invention of the telegraph. It requires continuous evaluation of user habits, and in the long-term can deliver reliable results. Spatial authentication is essentially geolocation based on trusted metadata, while the temporal method detects presence in a defined location at a scheduled time. In real-life scenarios multiple biometric modalities are used together to deliver a higher degree of security, such as voice biometrics augmented with facial recognition. The Encyclopedia of Biometrics is a great resource to check for even more unusual methods.

Not all of the methods provide the same level of assurance (trust), and the user is challenged with multiple authentication factors based on the particular situation (risk). Therefore, a calculated risk needs to be matched with the appropriate level of trust. The trust must be matched dynamically as the risk rises, depending on circumstances and the type of service level requested. We call this process adaptive multifactor authentication.

Let’s take a look at how adaptive authentication deals with various use cases. For example, if the employee presents themself at the company turnstile with RFID in the morning, and then uses their email client from a secure company workstation, there is no need for extra authentication steps. However, if the same user accesses services with a higher level of sensitivity (e.g. the accounting system), they will be challenged with a push notification via smartphone. If, later that day, the same person tries to log in to web-based email from a foreign IP address, the user will be challenged with a Google Authenticator verification code (to avoid roaming charges). The request may be valid (e.g. using a proxy or on a business trip), but a red flag will be raised by the monitoring system anyway.

Over time we have seen that our SSO is prepared to handle any situation, conforming to the strictest policies that the company may have.

Move Along, Nothing to See Here

If you have ever forgotten your password, then you have already experienced the password recovery procedure. You fill in your email address and in matter of seconds an email containing a password reset link arrives. The same idea applies to passwordless authentication. The user presents themself with a pre-authenticated device (e.g. a smartphone or other device), and in exchange they receive a secure one-time token (e.g. a push notification or SMS) which verifies identity without the need to create a password in the first place. If there is no password, it cannot be compromised – at least that is the basic premise.

WebAuthn authentication flow

Figure 3. A typical passwordless WebAuthn flow

Be aware that the weakest link principle applies here, and appropriate security measures must be taken in case the smartphone/device gets stolen or compromised. Passwordless authentication is only as secure as your trusted device. At the same time, our SSO needs to allow authentication using alternate methods, ensuring that if you misplace your device, you will still have access to company resources.

What ‘s Cooking?

There is always room for improvement. At present we are working on techniques which establish user identity remotely by using government issued ID, such as a passport or ID card. This is not the more well-known electronic identification, authentication and trust services – eIDAS regulation (EU) No 910/2014, which requires electronic identification (eID) and usage of public key infrastructure (PKI). Instead, it verifies government issued ID via integration to public services, and facial recognition based on camera live feed, so that even non eIDs could be used. However, providing such remote proof of identity requires complex processing, and there are still many obstacles to overcome. Hopefully the final product will live up to our expectations.

To sum up, it is challenging to manage all accounts across multiple devices, even with the help of password managers and SSO. The stakes are ever higher when hackers have access to a mega leak of 2.2 billion breached accounts including usernames and passwords. If you are curious, you can check for yourself if you have an account that has been compromised in a data breach – but please, use it at your own risk.

Behave until next time.

Rastislav Klč

Chief Security Officer