How to protect your organization’s single sign-on credentials from compromise

Half of the top 20 most valuable public U.S. companies had at least one single sign-on credential up for sale on the Dark Web in 2022, says BitSight.

Single sign-on, or SSO, is considered an effective method of authentication because it reduces the need for passwords and lets users authenticate across different applications and systems with just one single set of credentials. But what happens if your SSO credentials are compromised by attackers and used against you? A report published Monday by cybersecurity reporting service BitSight discusses the theft of SSO credentials and offers advice on how to protect your own organization from this threat.

By allowing the same credentials to access disparate systems, SSO offers several benefits, with three specific ones outlined by BitSight. Fewer account credentials means fewer targets for phishing attacks. Less time dealing with login attempts means more time that your employees can devote to critical tasks. And fewer credentials means fewer password resets and other issues for your help desk and IT staff.

How are cybercriminals accessing SSO credentials?

The downside with SSO credentials is they’re greatly desired by cybercriminals who can use them to gain access to a variety of applications and systems. Analyzing the Dark Web, BitSight found that 25% of the companies on the S&P 500 and half of the top 20 most valuable public U.S. companies had at least one SSO credential for sale in 2022.

Since January of 2022, there’s been a steady growth in the number of SSO credentials from public companies for sale on the Dark Web, according to BitSight. In June and July, more than 1,500 new credentials became available for sale. Though all kinds of companies are vulnerable, most impacted were those in the technology, manufacturing, retail, finance, energy and business services sectors.

SEE: Mobile device security policy (TechRepublic Premium)

What can happen if SSO credentials are compromised?

In an attack against SSO vendor Okta in January of 2022, cybercriminals used the stolen credentials from one of the company’s vendors to breach Okta itself. In the end, Okta cut off its relationship with the vendor. In another incident, a large phishing attack compromised almost 10,000 login credentials and more than 5,000 multi-factor authentication codes from 136 different companies. Affected organizations included Twilio, Cloudflare and Okta.

“Credentials can be relatively trivial to steal from organizations, and many organizations are unaware of the critical threats that can arise specifically from stolen SSO credentials,” said BitSight co-founder and CTO Stephen Boyer. “These findings should raise awareness and motivate prompt action to become better acquainted with these threats.”

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How can organizations protect their SSO credentials?

To protect your organization’s SSO credentials from compromise and Dark Web sales, BitSight offers the following three tips:

Don’t rely just on traditional multi-factor authentication

By using phishing campaigns, attackers can steal SSO credentials even if you’ve enabled MFA. How? A cybercriminal targets your employees with a phony login page. An unsuspecting recipient enters their credentials as well as their MFA code, giving the attacker access to the account and any authorized data and applications.

Turn to adaptive MFA

Adaptive MFA improves on traditional authentication by assigning contextual rules and guidelines to decide whether to grant the login request. For example, this method looks at such factors as location, day and time, consecutive login failures and source IP address to help determine if the request is coming from the actual user.

Consider universal two-factor authentication

Universal two-factor authentication, or U2F, typically uses a physical security key or fob as a single sign-in method. Since a physical key is required for authentication, any fraudulent attempts to steal the credentials will fail. A recent cyberattack against content delivery network Cloudflare was prevented due to the company’s use of U2F keys.

“Businesses need to be aware of the risks posed by their major IT vendors,” Boyer said. “As we’ve seen repeatedly, insecure vendor credentials can provide malicious actors with the access they need to target large customer bases at scale. The impact of a single exposed SSO credential could be far reaching.”