It’s true that password manager solutions and single sign-on (SSO) share the same purpose: making it easy for users to log in across different applications. In both techniques, a user can unlock access to multiple websites and applications, using a single login. These similarities are why people often wonder whether SSO and password managers are the same thing.
Well, they are not. Both techniques support multiapplication login but in fundamentally different ways. In this article, we’ll look at these techniques in more detail and help you choose a solution that’s best for your organization.
Traditionally, password manager solutions store user passwords in a secure vault. Access to a password manager is secured via a master password. Whenever a user starts their day, they log in to the password manager using their master password. After that, the password manager automatically enters the user’s passwords to all the authorized applications and websites.
The login process is made convenient for the user, as a single login opens access to all of their favorite applications and websites. This also incentivizes the use of complex passwords; since users only have to create and remember one password, they are more likely to make it secure and hard to guess.
But password managers still have one inherent problem: passwords. Even if the passwords are complicated, and seemingly impossible to guess, they are still intrinsically susceptible to social engineering, phishing, and brute-force attacks. So much so that improperly secured passwords account for 81 percent of all data breaches.
A master password compromise would allow a cybercriminal access to all applications and systems that a user is allowed to access. This essentially creates a single point of failure.
On the other hand, SSO goes beyond using just passwords for authentication. It grants access based on trust. SSO establishes trust relationships across different applications and uses them to determine whether the user is to be granted access.
A user’s identity attributes (e.g. their username/password, device IDs, geographical location, etc.) are stored and checked during login (aka federated identity). These attributes are also shared across other trusted applications and systems. This means that if a user is trusted by one system, they are automatically trusted by other systems which have a trust relationship with that specific system. No need to manage multiple passwords.
Modern SSO applications achieve identity federation using protocols like SAML 2.0 and OpenID Connect. The best part about SSO is that you can interconnect any system that supports identity federation. For example, you can integrate with your VPN, firewalls, smartphone applications, cloud and on-premise resources. The same level of interoperability is not present with password managers.
Modern SSO applications allow administrators to collect different attributes of a login request (e.g. IP address, device ID, requested resource, browser, etc.) and use them to establish login context. This context can then be used to create tailored access policies.
For example, if an internal resource is ever accessed from an unknown device, the request should be declined, even if the provided credentials are correct. Or if a user’s IP address is outside the configured IP range, they should be redirected to the multi-factor authentication (MFA) screen.
In most cases, it makes sense to choose SSO over a password-based management solution. SSO is the modern approach. It reduces the dependency on passwords, enables customized access policies and expands interoperability. However, that doesn’t mean that you should never consider password managers.
In certain situations, choosing password managers over SSO is the correct choice. For example, if you have several legacy applications that are not compatible with SAML, a password manager is absolutely the ideal choice.
The important thing is to properly weigh your options before choosing. Understand the pros and cons of each technique. Learn how they support your business’ needs and then make a calculated decision.