Single sign-on (SSO) is often touted for its ability to improve user experience by providing seamless access to mobile, cloud and enterprise applications for employees, customers and partners.

Security leaders, however, also know that SSO is critical in delivering security for data and applications. Without it, users who are overwhelmed by the need to remember and store multiple passwords tend to use easy-to-guess passwords and store them where they can be stolen. By replacing multiple sign-on mechanisms with one set of corporate credentials, SSO significantly decreases the odds of security breaches.

Not All SSO Solutions are Created Equal

But not all SSO solutions serve up equally secure levels of protection. In order to provide maximum security, SSO must include four key capabilities. The highlights of these capabilities:

#1 Federated Single Sign-on

Consider any of the following instances where the user is not in the same domain as the application:

• An employee of a recently acquired subsidiary accessing an enterprise application from the parent company
• A partner using enterprise credentials to access your SaaS application
• A customer on your website wanting to visit a third-party service you offer on your site without re-entering their credentials

In all of these cases, the outdated SSO technique of vaulting passwords is not a secure cross-domain solution. Federated SSO, which takes advantage of standards, replaces passwords with signed assertions (or tokens), offering far greater security.

#2 Context-sensitive Authentication

Suppose you are a bank or other financial institution and your users access sensitive transactional information online. Would it raise alarm bells if a user signed on via a device and location that had no obvious relationship to either your customer or your institution?

It would--if your SSO solution took advantage of context-sensitive authentication. When you create authentication policies based on risk, you can dynamically determine which actions a user must take, facilitating a more secure authentication process.

#3 Authentication Authority

Single sign-on should mean exactly what the name implies, allowing one-click access to all applications from anywhere, but in practice some SSO solutions are more like SSOSOTT (single sign-on some of the time). That's because not all solutions play the role of the authentication authority, ensuring all users are consistently authenticated across all applications.

A high-security SSO solution will leverage your existing identity infrastructure and make it easy to enable SSO across your entire application portfolio, not just pieces of it.

#4 Hybrid Deployment

In today's environment, enterprises rarely deploy applications only on-premises or only in the cloud. A hybrid SSO deployment allows you to connect users with all applications, no matter where they live, giving your enterprise the control and power it needs.

Implementing Secure SSO

Is your organization relying on an SSO solution that offers no more protection than using basic passwords for authentication? Learn more about how to implement the most secure SSO for your enterprise in our reference guide The Security Leader's Guide to SSO.