How to protect your organization’s single sign-on credentials from compromise

Abraham Smith

According to BitSight, half of the top 20 most valuable US public companies had at least one single sign-on credential for sale on the dark web in 2022.

Single sign-on concept - SSO - Authentication technology that allows users to log in to independent apps and devices within a network with a single ID - 3D rendering.
Image: Adobe Stock

Single sign-on or SSO is considered an effective authentication method because it reduces the need for passwords and allows users to authenticate across different applications and systems with just a single set of credentials. But what happens when attackers compromise your SSO credentials and use them against you? A report released Monday by cybersecurity reporting service BitSight discusses SSO credential theft and offers advice on how to protect your own business from this threat.

By allowing the same credentials to access different systems, SSO provides several benefits, three of which are specific to BitSight. Fewer account credentials mean fewer targets for phishing attacks. Less time spent trying to log in means more time your employees can devote to critical tasks. And fewer credentials mean fewer password resets and other hassles for your helpdesk and IT staff.

How Do Cyber ​​Criminals Access SSO Credentials?

The number of new SSO credentials for sale on the Dark Web skyrocketed in June and July 2022.
The number of new SSO credentials for sale on the dark web skyrocketed in June and July 2022. Image: BitSight

The disadvantage of SSO credentials is that they are highly sought after by cyber criminals, who can use them to gain access to a variety of applications and systems. Analyzing the Dark Web, BitSight found that 25% of companies in the S&P 500 and half of the top 20 most valuable US public companies had at least one SSO credential for sale in 2022.

Since January 2022, the number of SSO credentials from publicly traded companies for sale on the dark web has steadily increased, according to BitSight. More than 1,500 new credentials went on sale in June and July. Although all types of businesses are vulnerable, the technology, manufacturing, retail, finance, energy and business services sectors were the hardest hit.

SEE: Mobile Security Policy (TechRepublic Premium)

What can happen if SSO credentials are compromised?

In an attack on SSO provider Okta in January 2022, cybercriminals used stolen credentials from one of the company’s providers to breach Okta itself. In the end, Okta severed the relationship with the provider. In another incident, a major phishing attack compromised nearly 10,000 credentials and more than 5,000 multi-factor authentication codes from 136 different companies. Affected organizations included Twilio, Cloudflare, and Okta.

“Stealing credentials from organizations can be relatively trivial, and many organizations are unaware of the critical threats that can pose specifically from stolen SSO credentials,” said BitSight co-founder and CTO Stephen Boyer. “These findings should raise awareness and motivate immediate action to better understand these threats.”

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

How can companies protect their SSO credentials?

To protect your company’s SSO credentials from compromise and dark web sales, BitSight offers the following three tips:

Don’t just rely on traditional multi-factor authentication

By using phishing campaigns, attackers can steal SSO credentials even if you have MFA enabled. As? A cybercriminal is targeting your employees with a fake login page. An unsuspecting recipient enters their credentials and MFA code, giving the attacker access to the account and all authorized data and applications.

Turn to adaptive MFA

Adaptive MFA improves on traditional authentication by applying contextual rules and policies to decide whether to grant the login request. For example, this method takes into account factors such as location, day and time, consecutive login failures, and the source IP address to determine if the request came from the actual user.

Consider universal two-factor authentication

Universal two-factor authentication, or U2F, typically uses a physical security key or fob as a single sign-in method. Because authentication requires a physical key, any fraudulent attempt to steal credentials will fail. A recent cyberattack on content delivery network Cloudflare was prevented by the company’s use of U2F keys.

“Enterprises need to be aware of the risks posed by their major IT vendors,” Boyer said. “As we have repeatedly seen, insecure vendor credentials can give malicious actors the access they need to attack large customer bases at scale. The impact of a single exposed SSO credential could be far-reaching.”

Leave a Reply

Your email address will not be published. Required fields are marked *