What prevents SMBs from adopting SSO

A report by the Cybersecurity and Infrastructure Security Agency (CISA) is the latest research to point out the Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses. While the listed reasons aren’t new or even unexpected, it is a good summary of the steep climb that many SMBs have in implementing SSO.

The findings are based on a series of focus groups of various stakeholders, including the SSO vendors and their SMB customers and channel providers, along with network auditors.

SSO has long been touted as a way to avoid password-based problems such as phishing and man-in-the-middle attacks and to control the increasing sprawl of cloud services. SSO tools supply complex passwords to centralize user authentications and automate the login process, reducing the risk of weak or forgotten passwords. It thereby increases the overall security posture of an organization, while at the same time reducing support costs and calls. As CISA documents in its report, SSO “provides an integrated and unified tool for user management, reducing management overhead and preventing stale user accounts.”

Reasons preventing SMBs to adopt SSO

CISA’s report cites several reasons why SSO hasn’t been deployed by smaller organizations, including greater administrative implementation burdens, lack of technical know-how within SMB IT departments, and incomplete support documentation. On top of these obstacles is a perceptual one: during the focus groups, CISA found that SMBs would be more motivated to purchase SSO tools only after experiencing a major security breach. This is a common challenge for other security technologies, even in larger organizations.

SSO tools can provide a better digital experience for both SMB staffs and their customers, provided they are implemented properly. SSOs can reduce the costs for frequent user and customer password resets, “through providing advanced authentication at a lower operating cost while also improving cyber resilience as long as the SMB market can find solution providers with the technical expertise necessary,” says Saviynt chief trust officer Jim Routh. This mirror’s CISA’s reporting, which found that organizations “frequently need more dedicated staff to implement an SSO solution.”

This stretches the already thin IT operation and is a big reason why SMB lags in SSO adoption. “There are SMBs who have internal IT staff and SMBs who do not,” says Adam Kuhn, IT director of the Futures Industry Association. “Those who do have staff should always try to tie cloud-based products to their office productivity suite – of which the top two are Microsoft 365 and Google. Many SaaS application vendors should offer the ability to federate their authentication with both Microsoft 365 and Google and have this option available for SMB license tiers.”

The prohibitive cost structure has been labeled the “SSO Tax” and CISA says potential SMB customers “perceive SSO as being excessively costly due to the higher cost of the premium-tier service that includes SSO as compared to the lower-tier service that does not include SSO coupled with a requirement to subscribe for a minimum number of seats that may exceed the actual number of users.”

There are two websites (sso.tax and ssotax.org) that keep track of this phenomenon. They list the offending software vendors on their “wall of shame” who have put SSO out of reach from the SMB market, such as Adobe, Monday.com, New Relic, Quip, and RingCentral. For example, the collaboration service Quip’s Starter price is $10 per month per user, but the Plus tier has a price of $25 per month per user that offers the SSO feature. Monday.com, a popular back-office accounting service, starts at $7 per month and increases to $27 per month for its SSO features. “This discourages organizations from adopting a robust identity and access management system,” wrote Olga Livingston on CISA’s blog last week. CISA recommends unbundling SSO from other premium services and including the feature in the basic pricing tier by vendors.

But cost and organizational ability are just the tip of the spear. Part of the problem is that SSO requires “numerous moving parts,” as CISA says in its report. Often legacy applications require updates — some that can be major efforts — to support SSO technologies for example. “Many SMBs are using outdated systems for their day-to-day operations that can’t support a modern SSO solution,” writes CISA in its report. These upgrades are further hampered by poor SSO documentation. CISA cites that “users consistently emphasized that instructions are incomplete, vague, and often inaccurate” when it is time for SMBs to implement their SSO solution, and recommends vendors step up their game in this area.

This is the Catch-22 of SSO: yes, it can provide better security, but only if your SaaS vendors support it, price it properly and only if you can gather the necessary technical team to implement it. “Security should not be priced as a luxury good but instead should be considered a customer right,” says Livingston.