Secure your small business:
Apps → Data →

Password Managers Don’t Replace SSO, and This is Why

Smaller organizations sometimes think they can “make do” with password managers instead of single sign-on (SSO)—but these facts say otherwise.

We’ve been stuck with username-password identity for decades, and in 2023 everyone knows a few truisms about them:

  • Users tend to pick relatively insecure passwords by default.

  • When you impose adequate password complexity rules, users either forget their passwords or resort to writing them down and reusing the same passwords over time and across logins.

  • Most of the world’s data breaches result from the two facts above.

Username-password based logins continue to be our largest collective security vulnerability, and password managers do little to fix this.© Weedezign / Dreamstime

There are two currently popular solutions to this problem, single sign-on (SSO)  providers and password managers .

How They Work

Single sign-on platforms work by taking control of a user’s application logins. When this occurs, rather than log directly into applications that they plan to use, users log into their SSO provider—and the SSO provider then logs into the application on the user’s behalf with far, far more complex and frequently changing credentials.

Password managers work by simply storing and remembering a user’s passwords for each online application—the theory being that by reliving the user of the need to remember passwords, users can select far more secure passwords, and use a different password for each application.

Password Managers are Popular

Password managers continue to be popular because, to be blunt, they’re less expensive and easier to configure. Both of these reasons come down to cost—rather than purchasing and then deploying an entirely new way to log in, password managers provide an inexpensive tool that simply aids users in managing their existing logins more securely.

At first glance, it’s easy to imagine that in practical terms, there’s little distance between the two, and that while larger organizations have almost entirely adopted SSO across the board, password managers are acceptable for SMBs and SMEs.

Unfortunately, that’s simply not the case. Here are the reasons why.

SSO Has a Far Smaller Attack Surface

There are millions of stolen username-password pairs available for sale on the dark web. Malicious actors usually purchase these not to log into the systems from which they were stolen, but rather to take credentials that a user is known to have used in one place and see if they will work in other systems where access to that user’s account can net gains. And because users so often reuse username-password pairs across services, they often do—and mayhem is the result.

The average employee uses dozens of applications—which means dozens of exposed logins in a password manager ecosystem.© Shutter999 / Dreamstime

Add to this dictionary attacks , credential stuffing attacks , and other ways to attack login prompts to try to gain illicit access, and you can see why it’s a good idea to limit the number of login prompts that lead to your data. Each login prompt that stands between an attacker and your data adds to your attack surface—is another place for a bad actor to try to access your data.

Password managers don’t do anything to reduce this attack surface; for the username-password pairs stored in them to continue to work, in fact, every login prompt must remain operational and accessible.

With SSO, on the other hand, you know that none of your users will ever log into any of the company’s applications directly—so all of those login prompts can be disabled as you indicate to each application that your users only log in through SSO. When done properly, this means that your login prompt attack surface contains only one login prompt—your SSO login prompt.

SSO Massively Enables Multi-factor Authentication (MFA)

Since using a password manager doesn’t actually reduce the number of login prompts users have to contend with, it does nothing to reduce the pain of MFA  adoption. For each application a user employs, MFA must be enabled and enrolled.

There are several problems here. First, enabling MFA one app at a time for two or three apps might seem easy but it quickly becomes a frustrating task when a user has 20 or 30 apps, each of them with their own MFA configuration workflows. Next, this means that a user must have dozens of MFA “profiles” in their authenticator app—and they may even have to have multiple apps, plus codes by SMS or email.

In short, it’s a management nightmare, one that’s conducive to “push attacks,” in which users are so flummoxed by the complexity of their MFA universe, and so unable to keep track of which applications MFA how, that they end up simply approving any “Yes, it’s me” popup that appears—or pound any code in their phone into any prompt that asks for it. This is how MFA is most commonly defeated.

With SSO, on the other hand, you configure MFA once for your users—at the SSO login. They have one authenticator app, and one profile to maintain. It is always clear to them whether they’re expecting to enter a code right now or not.

SSO Gets You Best Practices—Like Passwordless—Sooner

In cybersecurity as elsewhere, it takes time for new practices and technologies to spread across the industry.

For this reason, when new standards or capabilities—like passwordless authentication with FIDO2—emerge, a few apps implement them right away, a few others drag their feet for a little while before implementing, and others may not update their capabilities for years (or even decades).

Using an SSO platform can help you to deploy new technologies—like FIDO2 passwordless—across all of your applications, no matter when they each individually implement it for their logins.© Daniil Peshkov / Dreamstime

SSO enables you to eliminate these delays for authentication and access management. FIDO2 support, for example, is still very uneven across the SaaS industry—but with an SSO platform that supports FIDO2, you can have passwordless authentication  support for all of your users and applications today—without waiting for the half or more of SaaS platforms that have yet to implement it (and that may not implement it for several more years to come).

SSO Eliminates Password Reuse

Ironically, though password managers are designed to relieve users of the need to remember passwords, many password manager users continue to reuse passwords. This is why most password manager tools have a “warn” feature to tell users that they’ve already used a password for one or several other applications—because it’s a problem that needed to be addressed. And unfortunately, many users ignore the warning.

Why do users reuse passwords even when they are using a tool designed to relieve them of the need to do this? Because a password is a password, and a login prompt is a login prompt. Decades of experience tell users that they “might need” to remember a particular password for a particular login prompt at some unexpected moment—including a moment when for whatever reason they’re not on a device where their password manager is available.

For this reason, users often continue to display poor password hygiene even when using password managers.

SSO relieves users of this cognitive dissonance; they only have one password to remember—their SSO password—so they are free to select a sufficiently complex password because they won’t need to remember others, nor remember “which password goes to which login prompt,” the question that most inspires password reuse.

SSO Provides Needed Access Controls

Password managers simply store credentials; they can’t control how or when those credentials are used. And unfortunately, many applications don’t support much in the way of access control beyond simple login grant or login deny with a username and password.

As an organization grows, however, the need for more granular access controls also grows. For example, it may be that users should only be able to log in to certain applications from their work computer—not from their home computer or mobile phone. It may be that they should only be able to log in from a certain network, or from a certain location, or at a certain time of day.

By managing application logins through SSO, these kinds of access controls can be easily implemented for every application, and done from a single location managed by an IT team. Many cloud applications don’t support these kinds of restrictions at all, and even when they do, it can quickly become impossible for an IT team to manage access controls spread across dozens of applications and user interfaces.

SSO Discourages, Rather than Encourages, Shadow IT

Password managers provide a ready incentive for users to adopt Shadow IT. The tool is there, ready to receive another login and password—so it’s a simple step to create and save one.

Password managers do little to discourage shadow IT, and in many practical ways, they enable it.© Aaron Amat / Dreamstime

With SSO, users lose the habit of simply creating another login; instead, they grow accustomed to the concept that logins happen centrally and are managed by the IT team—meaning that a new application needs to be added to SSO.

SSO Centralizes Logging and Makes It Auditable

As a business grows into more and more employees making use of more and more applications, spotting potential problems or bad behavior becomes ever more difficult—particularly when access logging is spread across many different individual applications, and especially when many SaaS applications don’t even support or provide this kind of logging.

Password managers do nothing to address this problem and in fact make it easy to enable logins and passwords to continue to multiply across systems, fragmenting logging further and further.

SSO provides a single, auditable log of who logged in at the front end (to the SSO platform) and when, and after that, which other applications they accessed and when, centralizing all access logging to a single, easily queryable log.

SSO Accounts for Human Factors

The biggest underlying causes of data and security breaches are human factors—the fact that all of the security, in all of the systems that companies use, is ultimately managed by people, and people are both fallible—and have bandwidth and attention limits.

Because password managers don’t do anything to reduce complexity for IT departments, they create any number of openings for security accidents. When a company standardizes on a password manager as the access tool of choice, either there is no centralized list of the software to which each employee has access, or someone must maintain such a list by hand.

Manually keeping a list of each application for each employee, and their required access level in it, isn’t just error-prone, it’s error-guaranteed. At some point, someone will be let go, but will retain access that they shouldn’t have because though they were removed from the first 20 applications in their list, the 21st was omitted—other other, similar problems.

By deploying SSO, IT teams are provided with a single place to manage access, access levels, and access controls for all employees, and they have at their fingertips the previously mentioned central log to review all employee login activity as they make decisions about these things.

By eliminating the human factors nightmare caused by having to manage so many applications, security incident will be avoided.

It’s 2023—Deploy SSO

If you’re at an organization that is still making due with password managers—particularly if your employee count or application list has grown into the double digits—it’s time to move on.

Password managers are an adequate solution for individuals in their personal lives, but any business or other formal organization with multiple users and many applications needs to adopt SSO and leave password managers behind.

Obviously we encourage companies to adopt Plurilock AI Cloud,  which provides passwordless-capable SSO and access control alongside cloud access security broker (CASB) functionality for Google Workspaces and Microsoft 365.

But whatever solution you ultimately adopt, the bigger picture is clear—the time for password managers in the worlds of business and government has passed. ■

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.