4

I was reading this article about SSO benefits and this sentence intrigues me :

Can reduce phishing – Phishing, a fraudulent process where victims are tricked into giving away sensitive user information, increasing security for you and your users.

How is this possible ? I mean if the victim is using SSO then the attacker will gain access to all authorized services instead of the only "phished account" what would increase the impact of phishing.

storm
  • 1,714
  • 4
  • 16
  • 25
  • 1
    With SSO you type in your password less, so less risk of typing into a phishing site – paj28 Jun 13 '16 at 17:30
  • Ahhh....you do have to enter your authentication information at least once during the process. And currently most SSO authentication schemes use username/passwords. – mdpc Jun 13 '16 at 18:21
  • Honestly, it wouldn't, because phishing is mean to attack the user psychologically. When a SSO phishing page purposely pop up an error, most user will think there is some requirements and will type in the password. The only way is use together with "whitelist" method like Password manager, which user disallow to use the password for any domain that is not inside the password manager. – mootmoot Feb 01 '18 at 14:14

3 Answers3

2

I agree with the other two answers provided, but there are a couple of other benefits, when SSO is implemented correctly.

  • Users enter their password less often
  • Users don't have multiple passwords to keep track of
  • Users are presented with a single login page, and they know what it looks like

When users don't have several different login pages to go to, they are better able to tell when something is wrong.

h4ckNinja
  • 3,006
  • 15
  • 24
1

Newer forms of SSO, such as OAuth2, do not do anything more than provide a secure token for the client to use to verify if a user is actually authorized successfully. It does not leak their username, password, or anything else. It's simply an assertion that, according to the identity provider, it is a real user by whatever means they've proved themselves, and that they have some unique idenifier specific to that provider.

They could have used a smart card, fingerprints or other biometrics, etc, and that they have proved that who they say they are, but nothing more. Phishing attacks using these forms of SSO are pointless, because they get neither the credentials the user used, nor information about any other accounts they have. The tokens generated are only valid for a specific app, too, so they can't even use that token to access other services the user might have access to.

phyrfox
  • 5,724
  • 20
  • 24
  • I don't think you use the term SSO as other people do. Wikipedia even mentions "Other shared authentication schemes not to be confused with SSO include OAuth, OpenID, OpenID Connect and Facebook Connect" – techraf Jun 14 '16 at 04:42
  • @techraf Wikipedia, while often a font of useful information, misses the mark on the SSO entry, as far as I'm concerned. The article linked to also demonstrates FB as a SSO provider. While the terminology may be different ("identity provider" versus "single sign on"), it's essentially the same technology. Wikipedia also mentions SAML as SSO, and it also does not provide a username or password to trusted parties. While some types of SSO provide different features/API, they are, at their core, responsible for letting users have a single password to many systems. – phyrfox Jun 14 '16 at 05:48
  • Wikipedia might contain wrong information, however it quite well reflects how people use and define words. Please note that I did not say your usage of SSO is worse or better, it just might not be consistent with what other people use. And that includes those who will check Wikipedia in future and acquire knowledge from there. – techraf Jun 14 '16 at 05:56
0

The idea behind SSO is that it prevents the user from having to enter credentials more often, thus reducing the potential attack surface. Notice that it does say can reduce phishing. It also helps eliminate another pretty common issue: people writing passwords down and leaving them in plain sight (if they only have one to remember, they're less likely to write it down).

There are a number of other benefits from using SSO, from prevention of password recycling, to reduced inefficiencies (wasted time in both users having to enter separate credentials frequently, and support time when they forget additional passwords).

Caleo
  • 1
  • Except for the first sentence this answer is not on topic. OP clearly took one bullet point from a list and asked for reasoning behind it. Writing passwords on paper is not phishing, neither are other benefits. – techraf Jun 14 '16 at 04:33