How Safe is Single Sign On?

The internet has been atwitter recently with article like this, which can naturally make family offices worry that Single Sign On (SSO) is unsafe.

However, SSO is safe if you do it properly:

Some sources will suggest a defense-in-depth layer, but what is that? It is essentially technical jargon for more than one protection standing in the way of the attacker.

Here at InfoGrate, we are all about practicality As such, we have pulled together a list of what a family office technology team should look out for when implementing and managing SSO at the enterprise level. Watch out for the following:

1. Credential Stuffing and Password Spraying: Require a password change and maintain an official password policy, conduct dark web monitoring to notify of exposed passwords, and lock accounts after five failed attempts.

1. Session Hijacking and Access Token Leakage: Leverage an EDR tool like Crowdstrike and either delete browser cookies automatically or encrypt them using a tool like Seraphic.

1. Prompt Bombing: Monitor for high volumes of Multi-Factor Authentication (MFA) prompts from a single user account and enforce "Risky Sign In" policies.

1. Spear Phishing: Train users to recognize phishing attempts and utilize link protection from each user's spam filter, which checks the validity of links before allowing a user to open a web address.

1. Social Engineering: Train users to be suspicious. Ask for verification of unexpected calls and emails. Enforce a password policy that discourages the use of names, birthdays, partner's names, and other searchable information.

1. Employee Bribing: Do background checks on new hires.

We also recommend:

1. MFA: Require Multi-Factor Authentication (MFA) for all users and accounts.

1. Geo-blocking: Enable Geo-blocking, which blocks login attempts from outside the area of your choice.

1. Devices. Allow access only from approved devices.

1. Principle of Least Privilege: Enforce principles of least privilege, where a user can only access information relevant to their job.

As always, InfoGrate is here to help! Please reach out to us at info@infograte,com if you would like to learn more about how to make SSO secure for your family office.