A report from CISA describes the implementation hurdles that small and medium-sized businesses have in terms of adopting single sign-on security. Credit: JLStock / Shutterstock A report by the Cybersecurity and Infrastructure Security Agency (CISA) is the latest research to point out the Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses. While the listed reasons aren’t new or even unexpected, it is a good summary of the steep climb that many SMBs have in implementing SSO. The findings are based on a series of focus groups of various stakeholders, including the SSO vendors and their SMB customers and channel providers, along with network auditors. SSO has long been touted as a way to avoid password-based problems such as phishing and man-in-the-middle attacks and to control the increasing sprawl of cloud services. SSO tools supply complex passwords to centralize user authentications and automate the login process, reducing the risk of weak or forgotten passwords. It thereby increases the overall security posture of an organization, while at the same time reducing support costs and calls. As CISA documents in its report, SSO “provides an integrated and unified tool for user management, reducing management overhead and preventing stale user accounts.” Reasons preventing SMBs to adopt SSO CISA’s report cites several reasons why SSO hasn’t been deployed by smaller organizations, including greater administrative implementation burdens, lack of technical know-how within SMB IT departments, and incomplete support documentation. On top of these obstacles is a perceptual one: during the focus groups, CISA found that SMBs would be more motivated to purchase SSO tools only after experiencing a major security breach. This is a common challenge for other security technologies, even in larger organizations. SSO tools can provide a better digital experience for both SMB staffs and their customers, provided they are implemented properly. SSOs can reduce the costs for frequent user and customer password resets, “through providing advanced authentication at a lower operating cost while also improving cyber resilience as long as the SMB market can find solution providers with the technical expertise necessary,” says Saviynt chief trust officer Jim Routh. This mirror’s CISA’s reporting, which found that organizations “frequently need more dedicated staff to implement an SSO solution.” This stretches the already thin IT operation and is a big reason why SMB lags in SSO adoption. “There are SMBs who have internal IT staff and SMBs who do not,” says Adam Kuhn, IT director of the Futures Industry Association. “Those who do have staff should always try to tie cloud-based products to their office productivity suite – of which the top two are Microsoft 365 and Google. Many SaaS application vendors should offer the ability to federate their authentication with both Microsoft 365 and Google and have this option available for SMB license tiers.” The prohibitive cost structure has been labeled the “SSO Tax” and CISA says potential SMB customers “perceive SSO as being excessively costly due to the higher cost of the premium-tier service that includes SSO as compared to the lower-tier service that does not include SSO coupled with a requirement to subscribe for a minimum number of seats that may exceed the actual number of users.” There are two websites (sso.tax and ssotax.org) that keep track of this phenomenon. They list the offending software vendors on their “wall of shame” who have put SSO out of reach from the SMB market, such as Adobe, Monday.com, New Relic, Quip, and RingCentral. For example, the collaboration service Quip’s Starter price is $10 per month per user, but the Plus tier has a price of $25 per month per user that offers the SSO feature. Monday.com, a popular back-office accounting service, starts at $7 per month and increases to $27 per month for its SSO features. “This discourages organizations from adopting a robust identity and access management system,” wrote Olga Livingston on CISA’s blog last week. CISA recommends unbundling SSO from other premium services and including the feature in the basic pricing tier by vendors. But cost and organizational ability are just the tip of the spear. Part of the problem is that SSO requires “numerous moving parts,” as CISA says in its report. Often legacy applications require updates — some that can be major efforts — to support SSO technologies for example. “Many SMBs are using outdated systems for their day-to-day operations that can’t support a modern SSO solution,” writes CISA in its report. These upgrades are further hampered by poor SSO documentation. CISA cites that “users consistently emphasized that instructions are incomplete, vague, and often inaccurate” when it is time for SMBs to implement their SSO solution, and recommends vendors step up their game in this area. This is the Catch-22 of SSO: yes, it can provide better security, but only if your SaaS vendors support it, price it properly and only if you can gather the necessary technical team to implement it. “Security should not be priced as a luxury good but instead should be considered a customer right,” says Livingston. Related content news analysis Attackers could abuse Google's SSO integration with Windows for lateral movement Compromised Windows systems can enable attackers to gain access to Google Workspace and Google Cloud by stealing access tokens and plaintext passwords. By Lucian Constantin Nov 30, 2023 8 mins Multi-factor Authentication Single Sign-on Remote Access Security opinion The SSO tax is killing trust in the security industry Application providers charge fees to implement single sign-on but don't deliver a full SSO experience. Threat actors are taking advantage of the situation. By Joe Sullivan and Atul Tulshiibagwale Nov 21, 2023 10 mins Authentication Single Sign-on Identity and Access Management feature What is federated Identity? How it works and its importance to enterprise security Federated identity can be hugely beneficial for creating a solid user experience and better security, but it can be more costly and complex to implement. By Matthew Tyson May 31, 2023 7 mins Single Sign-on Federated Identity Identity Management Solutions PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe