SSO Lulls Enterprises Into a False Sense Of Security, Study Finds

• Teleport and Doyensec reveal key failings in increasing reliance on single sign-on (SSO) and Identity Providers (IdPs).
• Research encourages adoption of ‘Defense-in-Depth’ approach to securing infrastructure.

OAKLAND, CA – June 20, 2024 – A study of the impact of identity provider compromises by security researchers at Doyensec, in collaboration with Teleport, has revealed the risks enterprises expose themselves to by increasingly relying on Single Sign-On (SSO). Although sold by Identity Providers (IdPs) for their convenience and security, the solutions can amplify the impact of breaches. The research shows these impacts can be significantly mitigated once additional layers of security are placed between the IdP and the linked applications and services.

The research arrives at a time when threat actors are accelerating attacks on identity. The recent breach of UnitedHealth Group’s Change Healthcare unit is just one of many high-profile examples in 2024, expected to cost that company up to $1.6 billion. Because of the role that IdPs play in centralizing authentication within organizations, threat actors can breach a user account and then pivot laterally to sensitive systems and data.

“No SSO provider should be assumed to be secure,” says Ev Kontsevoy, CEO at Teleport. “With SSO, if one individual’s identity is compromised, you could be handing over the master key to the castle. SSO does offer considerable convenience, but unauthorized access to one individual’s credentials exposes every platform and service for which that individual has privileges. Without additional defense in place, SSO by itself does not thwart identity-based attacks.”

Teleport worked with Doyensec to simulate IdP attack vectors ranging from full IdP compromise (affecting all IdP customers) to compromise of an IdP instance (affecting a specific company) through both privileged or unprivileged users. The latter is more common; entry patterns used by attackers include social engineering, broad-based or spear phishing campaigns, bribing employees for 2FA codes, prompt-bombing, credential stuffing, session hijacking, password spraying, and access tokens leakage.

The findings reveal:

• Fully compromised IdP system incurs Critical impact, but with Low likelihood.
  • They require deep understanding of the system and/or novel vulnerabilities, but if successful, remove any limits on attackers in using the IdP platform.
• Privileged IdP account compromise incurs High impact at a Medium likelihood.
  • Compromising an IdP admin user usually involves social engineering techniques, with success determined by a company’s specific policies related to credentials or by the skill in impersonation.
• Unprivileged IdP account compromise involving Privileged Service Provider account compromise incurs High impact but Low likelihood.
  • Service provider admins usually have access to a wide range of administration actions that can be hijacked for malicious intent but are a fairly restricted target audience.
• Unprivileged IdP account compromise involving Unprivileged Service Provider account compromise incurs Medium impact with High likelihood.
  • Social engineering can target a wide audience; compromised users, even without administrative rights, may still enable attackers to access business critical resources and perform malicious actions in infrastructure.

The potential impact of IdP compromise can include the theft of application and user data, impersonation of non-privileged and privileged users, spying on users and activity, downgrading of service provider security, and creation of new users and credentials.

To resolve these risks, Doyensec and Teleport concluded that services linked to a central source of authentication should introduce key mechanisms to defend against potential IdP compromise – an approach called Infrastructure Defense-in-Depth.

“What’s clear is that vulnerabilities in SSO and IdP platforms can have catastrophic impacts,” says Luca Carettoni, CEO at Doyensec. “Applying a defense-in-depth security layer on top of service providers can significantly limit the outcomes of a successful SSO provider compromise and reduce the impact against the protected infrastructure. The configuration of the defense-in-depth layer is extremely important to a company’s overall defense posture.”

Doyensec identified a set of key features and configurations that enable defense-in-depth against IdP compromise and tested these in the Teleport environment. In their tested scenarios, the infrastructure protected by Teleport remained secure in all forms of IdP compromise.

Phishing-resistant MFA-based features (per-session MFA, MFA for Administrative Actions, Web Authentication, and Device Trust) ensured that threat attackers could not breach further into downstream infrastructure. Access Requests and Dual Authorization eliminated standing privileges, enforcing the principle of least privilege and shrinking possible attack surfaces. Additionally, features such as Mandatory MFA Enrollment enforced security controls necessary to maintain defense, eliminating weak access patterns. Doyensec recommended further hardening strategies in configuration to prevent role mapping attacks and exploitation of auto-provisioning of new users.

Defense in depth is an even more urgent concern for modern infrastructure. Jack Poller, Principal Analyst, Paradigm Technica noted, “Critically, in modern infrastructure, every access is a privileged access. Gaining access to a DevOps credential gives the attacker carte blanche access to the entire infrastructure, applications, and all the sensitive and critical corporate data.”

A full description of features, hardening strategies, and a security checklist for verifying the implementation of security controls is available in this white paper.