Pietro Rea

The SSO tax

September 09, 2023

As a security-minded technologist, you probably use a password manager, create unique, appropriately-complex passwords and turn on MFA for all the apps you use internally, right? That’s great, but if you’re also responsible for security at your org, how can you get all your colleagues to do the same?

You can roll out policies all day long, but there’s no practical way to enforce auth best practices without using an identity provider’s SSO. Once you start using SSO, you can bypass all your vendors’ default authentication systems (which are in no way standardized or offer all the features you need, like MFA) and instead use the SSO’s authentication system to protect all your service accounts uniformly.

In practice, if you have 30 apps that your company uses regularly, instead of asking employees to choose a strong password and turn on MFA 30 times, now they just have to do it once. Better yet, even if an app does not offer MFA, fronting that app with your SSO solution lets you effectively protect it with MFA.

Here’s the problem — once you start fronting your vendors with your SSO provider, you’ll see that SSO is often part of an “enterprise plan” that is significantly more expensive than the plan you’re currently on. Our JIRA cost went up over 40%. Our Notion cost went up 85%. I haven’t pulled the trigger on Figma yet, but that’s going to go up almost 300%. This website keeps track of the worst offenders. Its tagline:

A list of vendors that treat single sign-on as a luxury feature, not a core security requirement.

There’s a lot I could say about this practice, but I’ll just say this: your desire for better security should not be a key driver in a vendor’s pricing scheme. So if you’re early in your company’s journey and choosing software tools for the first time, take a peek at the SSO tax website. Some services on that list don’t have good replacements, but others do.

Pietro Rea
Written by Pietro Rea, a software engineer, engineering manager and author from northern Virginia.