Even Orgs With SSO Are Vulnerable to Identity-Based Attacks

With organizations adopting cloud services, mobile devices, and other digital technologies to meet customer needs and support an increasingly remote workforce, identity has become the security perimeter. Identity is where organizations authenticate, authorize, and manage users, applications, and devices. This requires organizations to invest in identity technologies, such as single sign-on, multifactor authentication (MFA), continuous monitoring, and identity access management.

But many gaps exist that leave organizations vulnerable to identity-based attacks, such as credential stuffing, brute-force, and phishing.

In an analysis of 300,000 accounts and associated login methods, Push Security's research team calculated that, on average, each employee in an organization has 15 identities. A little over a third (37%) of identities use password-based logins without MFA enabled, according to Push Security data.

The analysis also shows that 61% of accounts rely only on single sign-on, 29% have passwords only, and 10% of identities allow both single sign-on and a password. Almost two-thirds (63%) of accounts — regardless of whether single sign-on was available — use some form of MFA. Almost all of them rely on what Push Security deems "phishable MFA," which refers to methods that are vulnerable to bypass attacks, such as MFA fatigue or advanced attacker-in-the-middle phishing toolkits. Barely 1% of accounts using single sign-on methods use "phishing-resistant MFA," according to Push Security.

For password-only accounts, 80% do not have MFA enabled, while 40% of accounts that have both SSO login and a password lack MFA.

The problem with accounts having both SSO and passwords is that it opens the door to ghost logins, or situations where an account has multiple login methods. In this case, despite having single sign-on, these accounts could potentially be compromised if the attacker figures out the password via credential stuffing or brute-force attacks.

Even in cases where the application uses SSO, the user has to first log in to the identity provider with a password before accessing the application. A look at identity provider accounts shows that 17% do not have MFA enabled and 10% reuse passwords. If this password is somehow compromised — perhaps by credential stuffing or phishing — the accounts with SSO logins are also compromised.

Another point about MFA: Identity provider accounts are among the "most critical accounts that a user can have," Push Security notes, but 20% are missing MFA.

Also worrisome is that 9% of identities have had a breached, weak, or reused password and no MFA enabled, making these identities susceptible to attack.

"Accounts that are missing MFA are vulnerable to credential stuffing attacks targeting stolen, weak, or reused passwords, and even the most basic phishing toolkits," Push Security said.