Is the idea of Single Sign-On (SSO) a flawed concept without Two-Factor Authentication (2FA)?

Question

Before this gets flagged as a duplicate, I'm not asking a question about the disadvantages of single sign-on, I'm asking if the initial concept is flawed to begin with without enforcing two-factor authentication.

Let me explain what I mean:

1. The purpose of a password is to stop unauthorized people from accessing protected data.

2. We do not use the same password for every account because that potentially exposes all accounts when one is hacked.

Now enters Single Sign-On. Now millions of people put all their eggs (passwords) in one basket. This violates #2 because if the SSO provider gets hacked, then all the accounts are potentially exposed. Just look at the most recent (of several) hack on LastPass in 2015, and the even more recent hack of OneLogin in 2017, even having the ability to decrypt data.

Now with two-factor authentication, specifically using "something you have" as the second factor, you most likely prevent yourself from being the target of an SSO provider hack, unless the tokens were stolen too (but 2FA vulnerabilities are a whole other discussion.)

So how is SSO (without 2FA) much better than just using the same (lengthy) password all over, or maybe better, 3 passwords, so you have 3 chances to get it right (which shouldn't exceed password try limits) and you split any comprised password into 1/3 of all your accounts.

NOTE: I do not endorse using the same password over again. I personally have a unique password for every one of my 100 or so logins with a system that allows me to remember them, but I want to entertain the contrasts for the purpose of conversation.

Is there really a huge difference between using SSO (without 2FA) versus using 1 (or more) password (following the Password Do's and Don'ts) besides just shifting the job of password protection from 100 companies to just 1?

Now you could argue that you decrease your chances of getting hacked by shifting the security responsibility from 100 companies to just 1, but then I would ask if you would do better to have 100 unique passwords stored in 100 different companies than to have 100 passwords in 1 company.

All this just so raise the issue...

1. Does single sign-on make sense (from a security point of view) if we are not using Two-Factor Authentication?
2. Should we enforce Two-Factor Authentication when using Single Sign-On?
3. Without Two-Factor Authentication are we potentially giving people a false sense of security?

Please let me know if there is there something that I'm not taking into account.

Answer 1

1. Yes, SSO with-or-without 2FA makes sense from a security perspective, but not in the direction you've considered. SSO provides a way to instantly deny access to compromised credentials across all the systems that subscribe to it. So if my account is compromised on site A, the security provider can force a single password change that will impact my SSO account on all other protected sites. 2FA does not impact this one way or another.

Consider that SSO can initially be deployed without 2FA, but it can be converted by the security provider to use 2FA at a later time. This will deliver 2FA benefits to every site without those hundreds of sites having to change their codebases at all. That's a compelling argument not just in favor of 2FA, it's a benefit of outsourcing your security to a service dedicated to handling user authentication. They can make improvements to your clients' security without you needing to expend any resources.

2. If 2FA is even remotely an option, yes, of course you will improve security by choosing it. The only reason not to choose it today would be legacy system compatibility, and you shouldn't let that stop you from deploying it on a new system.

3. 2FA is not a magic bullet. It's a great improvement in security, but it's not invulnerable. Nor is single factor authentication a complete failure. Many sites that don't employ 2FA haven't had a breach. :-) All that said, Account Take Overs are pretty much shut down by 2FA, so you can actively help your users protect themselves by deploying it.

Finally, circling back to your anecdotal story of "I personally have a unique password for every one of my 100 or so logins with a system that allows me to remember them", this has two significant problems that you haven't acknowledged. First, you are much better trained and far more skilled than 99% of common users - skills and techniques you may think are easy are far beyond the reach of virtually half the population of the planet. This solution does not and cannot scale to benefit all users. SSO may be a compromise that introduces additional (and significant) risks, but it's a compromise that will benefit the full spectrum of the public.

Next, be aware that if a threat actor is targeting you specifically (different than someone driftnet trawling with passwords stolen from a large breach), and compromises your password on three different low-value sites, he may acquire enough data points to recognize the pattern underlying your password generating algorithm. From there, he can try logging on following the same algorithm to derive potential passwords for you at high value sites, such as mybank.com, firstbank.com, lastbank.com, myretirementaccount.com, etc.