{"id":5776,"date":"2024-10-15T05:00:59","date_gmt":"2024-10-15T10:00:59","guid":{"rendered":"https:\/\/www.darkreading.com\/identity-access-management-security\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks"},"modified":"2024-10-15T05:00:59","modified_gmt":"2024-10-15T10:00:59","slug":"even-orgs-with-sso-are-vulnerable-to-identity-based-attacks","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/15\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks\/","title":{"rendered":"Even Orgs With SSO Are Vulnerable to Identity-Based Attacks"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

With organizations adopting cloud services, mobile devices, and other digital technologies to meet customer needs and to support an increasingly remote workforce, identity is the security perimeter. Identity is where organizations authenticate, authorize, and manage users, applications, and devices. This requires organizations to invest in identity technologies such as single sign-on, multifactor authentication, continuous monitoring, and identity access management.<\/span><\/p>\n

Currently, there are a lot of gaps that leave organizations vulnerable to identity-based attacks such as credential stuffing, brute-force, and phishing.<\/span><\/p>\n

In an analysis of 300,000 accounts and associated login methods, Push Security\u2019s research team calculated the average employee in an average organization has 15 identities. A little over a third (37%) of identities used password-based logins with no MFA enabled, according to Push Security data.<\/span><\/p>\n

According to the analysis, 61% of accounts relied only on single sign-on, and 29% had only passwords, and 10% of identities allowed both single sign-on and a password. Almost two-thirds (63%) of accounts \u2014 regardless of whether single sign-on was available or not \u2014 used some form of MFA. Almost all of them relied on what Push Security deemed \u201cphishable MFA,\u201d which refers to methods vulnerable to bypass attacks such as MFA fatigue or advanced attacker-in-the-middle phishing toolkits. Less than 1% of accounts using single sign-on methods used \u201cphishing-resistant MFA,\u201d according to Push Security.<\/span><\/p>\n

For accounts that had only a password, 80% did not have MFA enabled, while 40% of accounts that had both SSO login and a password lacked MFA.<\/span><\/p>\n

The problem with accounts having both SSO and passwords is that it opens the door to ghost logins, or situations where an account has multiple login methods. In this case, despite having single sign-on, these accounts could potentially be compromised if the attacker figures out the password via credential stuffing or brute-force attacks.<\/span><\/p>\n

Even in cases where SSO is used, there is a password login to the identity provider at the beginning of the flow. A look at the identity provider account shows that 17% does not have MFA enabled, and 10% reused passwords. If this password is somehow compromised \u2014 perhaps by credential stuffing or phishing \u2014 the accounts with SSO logins are also compromised.<\/span><\/p>\n

Another thing about MFA: identity provider accounts are among the \u201cmost critical accounts that a user can have,\u201d Push Security noted, but 20% are missing MFA.<\/span><\/p>\n

What was also worrying that 9% of identities had a breached, weak, or reused password <\/span>and<\/span><\/span> had no MFA enabled, making these identities susceptible to attack. \u201cAccounts that are missing MFA are vulnerable to credential stuffing attacks targeting stolen, weak, or reused passwords, and even the most basic phishing toolkits,\u201d Push Security said.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

With organizations adopting cloud services, mobile devices, and other digital<\/p>\n","protected":false},"author":12,"featured_media":5777,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=2000%2C1125&ssl=1",2000,1125,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=2000%2C1125&ssl=1",2000,1125,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/even-orgs-with-sso-are-vulnerable-to-identity-based-attacks.jpg?fit=2000%2C1125&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5776"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5776\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5777"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}