SSO and the Road to Passwordless

By Dave Lewis, Advisory CISO — Global at Duo

We’ve all heard the phrase “every journey starts with a single step.” While this might seem obvious on the face of it, we can often feel pressure to immediately arrive at our destination.

Discussions around passwordless often are too simplistic or too complex by trying to come up with an immediate solution instead of addressing the journey and its all-important first steps. I could not think of a more salient topic related to authentication these days.

Static passwords have long been a hobgoblin haunting our existence in the technological realm. When an attacker breaches a website they will, more often than not, re-use all of the purloined credentials against other websites to gain access. Why?

The reasons are rather simple:

People have an unfortunate predisposition to use the same password on multiple websites. For the average person it can be a challenge trying to remember the credentials for multiple websites. This is a problem I know well. In my own password management software I have no less than 929 passwords. There is no conceivable way I would be able to maintain all of those in my memory.

We, as humans, also tend to create passwords that are too short and too simple; translation: not complex enough. Remember, I have nearly 1,000 passwords in my password manager, it would be much easier to remember more of them if they were basic short words and phrases. Hence the frequent reminders from the tech press and your security team that “password” should not be your password. But therein lies the rub - hundreds of complex passwords are impossible to remember.

There must be a better way. How do we get to that wonderful state of nerdvana where access is simple but secure? It begins with a single step. The joy of this single step is that you can take it from the comfort of your fuzzy slippers ensconced in your own home. That journey to a passwordless future begins with single sign-on or SSO, which allows us to dramatically reduce our reliance on passwords. This is the state of authentication where disparate mechanisms coalesce to provide unified access control.

Rather than being expected to create, remember and secure many complex passwords, an individual would need to remember only one for their day job. One solitary password to rule them all! A welcome change! But if we channel Ron Popeil, “wait, there’s more!” we could further simplify access with the added layer of push based multi-factor authentication (MFA).

Imagine getting ready for your workday, be it either remote or in an office (someday) and only having to remember a single password, your mobile device and pants. It seems like something that is highly achievable.

OK, do we have your attention? This is a fantastic way to reduce the security exposure for an organization, and also for you as a user of these platforms. If we implement MFA in conjunction with SSO to marshal access to your email, document repositories and all manner of web based applications, there is far less chance that a phishing attack would be successful.

Additionally, an SSO portal can be set up to present as a landing page for employees when they first login. Each link in the page will provide access to the predefined applications they need to get work done. This would work in any vertical really: control systems, financial orgs, government, healthcare or retail as just some of the many examples.

This sort of deployment will make it easier for the people who need to get their jobs done. There will be a far lower number of help desk tickets opened up to reset passwords, especially if you allow your staff the ability to self manage their access.

Once SSO and MFA are in place, you are in a position to be able to transition your organization to using technologies like W3C’s WebAuthn standard for using public key-based credentials, for example, to secure access to web applications.

With every journey the foot has to first land somewhere on the road. Having those first couple of steps land on MFA and SSO are a brilliant move on the path to a passwordless adventure.

Read more about the path to passwordless in Duo's passwordless blog series.