FrederikMay 6, 2024

Showerthought:

Password reuse is bad because it means one compromised account can lead to compromises at many different services but "Sign in with your AD credentials" everywhere is fine?

SSO trains users to enter their credentials in places other than the vendor that these credentials belong to, and leads to compromise of multiple services if a single account (the SSO account) is compromised, for example through #phishing. Doesn't that mean it causes at least some of the same problems as password reuse?

--
#infosec

Show threadJeffrey
@fre could it be that you are confusing Same Sign-On with Single Sign-on (both can be abbreviated to SSO)? for the first one, yes. For the second one, you usually have one IdP portal you use, which would suggest to users this is the only place those credentials should work.
May 6, 2024 at 8:44amWeb
Show threadYaroMay 6, 2024
@jtig @fre and… with single sign on, you change the compromised credential in one place, and all places are protected. It is an administrative consolidation. You are reducing your credential footprint in exchange for expanding the domain of access. With that said, passwords are just plain weak sauce. If your SSO solution is not using a strong credential (2FA, WebAuthN, certs…something) it probably doesn’t matter much.