In CISA’s Secure by Design whitepaper, we urge software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers. We recommend that essential security features should be available as part of the basic service offering. Consumers should not need to pay premium pricing, hidden surcharges, or additional fees for basic security hygiene. In particular, we mention that single sign-on capability should be available by default as part of the base offering—consumers should not need to bear an onerous “SSO tax” to get this necessary security measure.
While it might seem reasonable to charge more for some features, this practice can hinder improvements in security posture by discouraging organizations from adopting a robust identity and access management (IAM) system. Organizations, including those below the security poverty line, deserve basic security hygiene. We argue that security should not be priced as a luxury good but instead should be considered a customer right.
But the SSO tax is not the only barrier to adoption of SSO by small and medium sized businesses (SMBs). Customers have differing perspectives about SSO. Some SMBs see it as adding value that improves their security posture, while others do not believe the expense of SSO delivers significant operational improvement and commensurate returns. This latter view reflects the need for clear messaging on the advantages of SSO. We wanted to learn more about the uptake of SSO at SMBs and began work on a report to shine a brighter light on this topic. We conducted focus groups with SMBs to learn how well they understood SSO and its benefits, hear about their user experience with implementing and maintaining SSO, and understand the barriers SMBs encountered in implementing an SSO program.
The report cites the following key findings:
First, small enterprises often opt for manual passwords and hands-on approaches over an SSO option. These methods tend to have a reduced initial adoption cost, but this initial cost difference does not reflect the hidden administrative costs associated with maintaining manual passwords. A primary reason for the difference in the purchase cost for SSO is that SSO is often available only as a premium enterprise-level service. Such an enterprise service can cost significantly more per user than a lower-tier service that lacks SSO and typically requires a minimum number of users. These can be substantial barriers for many organizations.
Second, a lack of technical know-how and awareness poses another significant barrier to SSO adoption. Vendors feel confident that they offer sufficient training materials and how-to guides to support customers in effectively deploying SSO technology. However, customers have different perceptions and user experiences. Customers see SSO as a complex solution with numerous moving parts that may impede its successful deployment. These implementation challenges need to be addressed before customers consider adopting SSO.
Third, customers have varying degrees of satisfaction with the accuracy and completeness of support materials and instructions. Even some of the more experienced and technically savvy users reported the need to submit numerous support tickets and engage in multiple interactions with their vendor’s customer support staff to fill gaps or resolve inaccuracies and omissions. For SMBs with limited resources, the opportunity cost of that time and the hassles with support materials make the pursuit of proper SSO implementation seem prohibitively expensive and result in a negative user experience.
Clearly there is work to be done not only on the economics aspects, but also on the user experience, the SSO service offering structure and product design, feature awareness, as well as requisite technical guidelines and instructions to properly implement and maintain SSO in order to increase adoption by SMBs. Manufacturers should recognize these unique challenges for their SMB customers and configure their settings to reduce operational friction and frustration. Doing so is in line with Secure by Design Principle 1: Take ownership of customer security outcomes. At the same time, CISA will continue to raise awareness about the benefits of SSO. Together we can meaningfully improve the security and safety of our nation.
You can find the report and accompanying fact sheet at Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities.