SSO 3.0: Replace the keys to your kingdom with locks on every door
By Mike Vesey, Founder and CEO of IdRamp
Single sign on (SSO) has become a standard practice for improving usability and security. It provides the user convenience of one credential to access many applications and reduces the number of attack surfaces by minimizing the number of redundant credentials. This makes sense, but as digital identity attacks have become more sophisticated, traditional SSO becomes more vulnerable.
Having one set of keys to a kingdom is the weakest link in any security infrastructure. No matter how much effort goes into training employees about good security practices, traditional username and password-based SSO solutions can expose your entire organization to malicious attacks.
“Over 25% of the S&P 500, and half of the top 20 most valuable public U.S. companies had SSO credentials for sale on the dark web in 2022. The affected companies represent $11 trillion in value”
Multi-factor authentication (MFA) provides some security improvement for SSO vulnerabilities but it becomes ineffective when users accidentally give away MFA codes and SSO credentials through phishing impersonation attacks.
Advancements in FIDO and adaptive MFA improve the situation, but the core vulnerabilities of password-based SSO authentication persist. Fortunately, a new model for SSO is now available to better protect your organization.
SSO 3.0: Decentralized Sign On
As companies start to adopt Zero Trust approaches to securing IT environments, the focus is on strong authentication, robust access control, and verifiability. SSO 3.0 provides decentralized authentication to remove passwords, reduce fraud, and minimize the blast radius for any attack.
In this model, passwords are replaced by verifiable credentials, a unique set of cryptographic keys that are physically stored in a digital wallet. This means attackers that typically would buy millions of stolen credentials remotely on the darkweb, or phish them with fake logins, would need to be in physical possession of your digital wallet, private access code, and biometrics to steal your information.
Verifiable credentials replace the keys to your kingdom with individual locks on every door.
SSO 3.0 means that even if one application is breached, a unique credential is still physically required to access any others. Every application can use different elements of the same, original credential to provide distinct verification locks for each digital door within your organization.
Think of verifiable credentials like a passport for international travel. Stealing the information on a passport is not enough to impersonate someone. You also need to present the actual legal credential document in person to board the plane.
Through decentralization, you remove any master directory that provides access to all sensitive data.
Verifiable Credentials and Web 3.0
SSO 3.0 verifiable credentials are a powerful technology for delivering stronger authentication that is harder to break than traditional centralized models. Their underlying architecture and features combine to drive efficiencies, remove risks, and facilitate the continuous verification required by Zero-Trust implementations.
Built on decentralized identifiers, the newest web standard recently approved by the World Wide Web Consortium (W3C), verifiable credentials can be dropped on top of existing systems for organic, flexible integration and can be used to orchestrate the complex tangle of multiple applications.
Verifiable credentials enable data, such as an employee’s identity, to be verified without having to check in with the source of that data or cross check with a third-party database. This means that they are easy to create, limitless in number, tamper- proof, easy to verify, and inexpensive.
Moreover, they are cheaper, easier, and harder to attack than other authentication options while providing the simplicity of passwordless login that removes the need of a centralized database.
Verifiable credentials are also the most tangible signal of how the internet is changing. Despite the marketing hype for Metaverse, web 3.0, or web 5.0, the important thing to remember is that decentralization is simply a more secure data model that is easier to protect and scale. And when the hype fades, reality will be decentralized. Verified data will be portable in ways that will better protect businesses and consumers alike and lay the groundwork for new products and services.
Right now, verifiable credentials are being deployed to solve SSO 3.0 authentication and security problems across all sectors. Tomorrow, they will be used to create opportunities. The only question is: How are you going to prepare for that change?
About the author
Mike Vesey is on a mission to provide transformational digital solutions for the global enterprise. He has developed award-winning products in unified communications, service operations, security, identity, and data management. Mike has deployed complex identity integrations with some of the world’s largest organizations. He is the Founder and CEO of IdRamp, providing a decentralized identity platform delivering easy to implement orchestration, password elimination, verifiable credentials, blockchain ID, and service delivery.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.