Passwords are at the heart of most authentication mechanisms in use today. They are the keys that companies use to protect their most vulnerable information from cyber criminals and malicious insiders alike. Have you ever wondered what the difference is between MFA and single sign-on? Let’s learn what they are and how they came into existence.
The Issue with Simple Password Authentication
The problem with simple password-based authentication is that it no longer serves the intended purpose as well as it used to. Even small companies now use multi-cloud systems and allow their employees to log in to them from various remote locations. The more passwords an employee uses, the more likely they are to reuse the same ones – which can lead to other bad practices. That’s why password-related breaches are so common.
Companies can implement multi-factor authentication (MFA) and single sign-on (SSO) to go beyond simple password-based authentication.
What Is MFA?
Multi-factor authentication is an authentication method that requires the user to provide at least two pieces of evidence to be granted access to a protected resource, such as a cloud service.
The pieces of evidence that can be used as authentication factors can be grouped into four categories:
- Something the user has: various physical authentication tokens
- Something the user knows: unique information like a PIN code or a personal identification number
- Something the user is: all kinds of biometric information, from fingerprints to retina scans
- Somewhere the user is: the user’s physical location obtained using GPS and other technologies
Most computer users today are personally familiar with multi-factor authentication because a growing number of websites enable it by default. Many banks, for example, don’t even allow their customers to access internet banking without setting up MFA first—and for a good reason.
According to Microsoft, MFA alone can block over 99.9 percent of account compromise attacks because it ensures that a weak, lost, or shared password isn’t enough to obtain access to a protected resource. At least one additional authentication factor is necessary, and stealing it is anything but easy.
Unfortunately, MFA isn’t without its drawbacks. Perhaps the biggest drawback is how inconvenient it can be for users to enter two or more authentication factors every time they log in.
What Is Single Sign-On?
Single sign-on is an authentication method that addresses the same problem as MFA (account compromise attacks) but from a different angle.
Instead of introducing additional layers of security, SSO makes it easier for users to follow password best practices by allowing them to log in with just one set of credentials to all of the enterprise applications they need for their daily tasks.
For example, Google uses SSO to let users sign in just one time to get access to all their Google Workspace enterprise cloud applications, such as Gmail, Google Drive, and Google Docs.
Unsurprisingly, employees love the productivity-boosting and frustration-reducing benefits of SSO, but cybersecurity experts like to criticize the authentication method for increasing the negative impact of credential leaks and misuse.
Businesses Can Combine MFA and SSO
When MFA and SSO are combined, their biggest downsides (the need to constantly enter multiple credentials and the increased negative impact of credential leaks and misuse) effectively cancel each other out.
There are many ways in which MFA and SSO can be combined. For example, employees can be required to enter their passwords together with their biometric information at the start of the day. From there, the company’s SSO solution can take over and continue granting access throughout the workday.
A change in an employee’s location, web browser fingerprint, or IP address can trigger additional verification using MFA as an extra security precaution.
Prevent Password-related Data Breaches
Traditional password-based authentication has reached its limits in the day and age of cloud computing and hybrid work arrangements. To prevent password-related data breaches, companies must take advantage of multi-factor authentication to add extra layers of protection. Additionally, organizations can combine MFA with single sign-on to make the authentication process more convenient.
