Passkeys and single sign-on (SSO)

Passkeys and single sign-on (SSO)

As passkeys become more popular for logins to websites and apps, companies that already use authentication via Single Sign-On (SSO) are especially left wondering if and how they can benefit from passkeys as well. Especially, in the enterprise context, when using SAML as SSO, this is a common question. The following article describes how passkeys alongside SSO can provide a secure and easy login experience for all users.

What is single sign-on (SSO)?

With single sign-on (SSO), users may securely login to several different applications and websites with just one set of credentials.

To easily grasp SSO, consider the authentication process for your app as a service that most developers create themselves. You are in charge of creating usernames and passwords, inserting them into a database, and verifying login information each time.

How does SSO work?

SSO-enabled apps let users log in using a third-party service, rather than keeping track of usernames and passwords themselves. These apps integrate with an Identity Provider (IDP) like Azure AD, Okta or OneLogin who takes care of it for you. These providers are typically more feature-rich and secure than what the average company would be able to create on their own.

SSO is one of key components of identity and access management (IAM) and should not be confused with a password manager that just stores credentials and inputs them into corresponding services.

To make things work and let user’s data be passed between different services, SSO tokens are issued. They allow a user logged in to one service to access related services without the need for reauthentication.

What types of SSO do exist?

There are three main types of SSO solutions on the market:

Open authorization (OAuth):

OAuth provides application the ability for secure designated access. You can tell your Identity Provider (e.g. Facebook) that it is OK for another website to access your profile information without having to give this website your password. If the website suffers a breach, the password remains safe as authorization tokens are used to prove identity. Today, OAuth 2.0 is the most common OAuth version.

OpenID Connect (OIDC):

OIDC is the preferred authentication protocol for consumer websites and apps. It is easy to implement and is based on RESTful API endpoints which allows convenient cross-device and cross-platform usage. Most social logins such as Apple, Facebook or Google are utilizing OIDC.

Security Access Markup Language (SAML):

SAML is a widespread authentication protocol in enterprise environments. It allows users to log in to a company server that grants them access to various company applications, e.g. CRM.

What are benefits of SSO?

Cybercriminals' primary targets are usernames and passwords. Therefore, there is an attack vector every time a user logs into a website or app. As most people use the same or similar passwords across various accounts, a hacker is likely to be able to access other websites if they gain access through one inadequately protected website. SSO decreases the attack surface because users only log in once and use a single set of credentials.

Moreover, SSO allows fast and efficient authentication and access to real-time data, as system administrators have an overview of used services and can manage authorization conveniently.

What are drawbacks of SSO?

SSO, however, just delays the password problem. Since all applications and data are protected by only one set of credentials, hackers will be able to access all programs protected by it if they possess this set. The password becomes a single point of attack.

This makes the use of passwords and other insecure authentication factors particularly dangerous. Further, SSO is not necessarily bound to a person. This means, for example, that anyone can log in to all applications on a device during the corresponding period when someone leaves the device unlocked.

Moreover, theintegration of SSO solutions into an application can be quite cumbersome as different Identity Providers have different flows that need to beimplemented.

How to combine passkeys and SSO?

As passkeys is the new standard for authentication in websites and apps, many companies that currently offer SSO are facing the question if and how they can benefit from passkeys. Especially, in the enterprise context, when using SAML as SSO, this is a common question.

There are three main reasons why enterprises should offer passkeys alongside SSO:

  1. Diversity of customer base: There are very few companies that solely offer SSO, as there are most of the times customers that do not have an enterprise SSO in place.
  2. Meet changing customer demand: With passkeys, the FIDO Alliance unanimously pushes the standard for passwordless applications across B2B and B2C. All users will become more accustomed to frictionless access to applications and services. Therefore, a convenient login option for users who cannot or do not want to use SSO is necessary.
  3. Improve security for local users: With SSO solutions, the customers themselves are responsible for account security. In the case of local users, however, it is not sufficient to refer to a traditional 2FA option as the adoption for 2FA is low. Particularly in the case of data requiring special protection, the requirements for the technical and organizational security measures of a provider company are especially high.

Therefore, a solution for platforms that have local users in addition to SSO users is necessary to provide all users with a secure and easy login. For the former, login with passkeys is a perfect solution.

How Corbado helps companies leverage passkeys alongside SSO

Corbado allows to quickly increase the quality and security for local users to the level of big tech companies with large IT security resources. With Corbado, you get the solution that immediately secures customers without SSO or traditional 2FA.

Currently it is not (yet) possible to combine SSO and passkeys. However, Corbado enables platforms that have both SSO users and local users to also provide the latter with a secure and convenient login experience. This level of security is achieved by the following measures:

  • Automatic passkeys 2FA: Local users are seamlessly transitioned to passkeys and thus automatically protected with 2FA due to passkeys’ inherent 2FA property
  • Passwordless alternatives: Local users who do not want to use passkeys can be offered an alternative passwordless authentication, e.g. email magic link, SMS OTP
  • Risk-based 2FA: Local users who want to stick with their passwords are protected by risk-based 2FA in the background (suspicious logins require a separate challenge) and trust mails (“a new device has logged into your account”)

Using Corbado helps to increase the security of all local users while SSO users are forwarded to their respective SSO provider. On top of that, all these security enhancing features come with a great UX that improves conversion rates, reduces password reset flows and makes your customers happier.

Moreover, in-house engineering efforts can be saved, costs for manual password resets can be cut and the in-house development efforts for an own product intelligence for passkey transition can be saved.

Try out Corbado’s passkey solution. The web component can be integrated without any risks in minutes.

Enjoyed this read?

Stay up to date with the latest news, strategies and insights about passkeys sent straight to your inbox!