SSO and Authentication Methods
On this page
Authenticating Users for SSO
This article explains ways to adjust Single Sign-On (SSO) behavior depending on the user's authentication methods. The goal is to balance security with user experience while addressing common challenges like managing multiple passwords and user identities.
Authentication Methods and Their Limitations
When an application uses OAuth there are many ways to control how users sign in. When choosing authentication methods, consider both the security level and the action the user undertakes. Some methods may have increased security but at the same time can be quite cumbersome, which may impact the user experience.
For example:
Username and Password: Commonly used but involves password management challenges and risks, especially if users rely on weak or reused passwords across multiple applications and web applications.
Multi-Factor Authentication (MFA): Improves security but can be cumbersome for users to manage since they need to switch to another device whenever they use a particular application.
To maintain a seamless experience while improving security, you should be able to override SSO behaviors for a particular authentication method.
Improving Experience and Security
SSO enables you to reduce the number of passwords for users and then use the authenticated user identity to correctly authorize access to sensitive data.
Using SSO Expiration Times
One solution is to require different authentication methods at different time intervals. More secure methods, but at the same time, more cumbersome for the user, can be required less frequently. Less involved methods, on the other hand, can be safely required more often, without inconviencing the user too much.
This behavior can be achieved by changing the expiration time for the SSO Session, individually for each authenticator. For example, the SSO session in the Curity Identity Server is stored separately for different authentication methods, and the user must re-authenticate when the session for a given authenticator expires.
Example
| Authentication Method | SSO Expiration Time | User Behavior |
|---|---|---|
| Username / Password | 1 day | The first factor, which must be entered daily |
| Test Message (SMS) | 30 days | The second factor, which must be entered monthly |
With the above configuration for SSO expiration you can achieve a more user friendly login flow.
- Day 1: Users log in with username/password and SMS authentication.
- Day 2: Returning users only need to enter credentials for username/password.
- Day 31: Users must re-authenticate with both factors.
This is a common setup for sites that the user accesses frequently.
Stepping Up Authenticators
You can use a step up approach where you use frictionless user authentication for low security data and require strong user authentication for sensitive operations.
Example:
- On an e-commerce website, users log in with their first factor of username/password to browse items.
- To purchase items, APIs can require a higher security access token. To get one, the user must log in with a more secure second factor. Since the user already has an SSO session, they don't need to resupply their first factor.
Conclusion
SSO enhances the user experience by reducing the need for multiple passwords and simplifying password management while maintaining secure access to user identities. By leveraging open standards like OAuth and adjusting SSO session expiration settings, you can require users to authenticate only when necessary, ensuring a balance between usability and security across multiple applications.
More information
For more information, see the authentication service product documentation
Curity
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
