Two recommendations come to mind. One is to establish a good security and compliance awareness program. Generally,...
if people are told not to do something -- like access another person's account without proper authorization -- they'll comply.
Second, for extremely sensitive data applications, use two-factor authentication. Username/password authentication in an SSO environment is much riskier than two-factor authentication, as you note. And two-factor authentication doesn't mean all users have to carry a smart card; tokenless two-factor authentication services are readily available and not as expensive as their hard-token counterparts.
But the biggest recommendation I have to offer is to do a market study on whether hardening single sign-on environments is even necessary. (Ask the single sign-on vendor(s) you're working with to help with this.) Generally, organizations are able to implement single sign-on internally with few to no issues of compromise using username/password schemes. Also, be sure to discuss security concerns with the senior managers to better understand what their actual fears are and address them directly.
Related Q&A from Randall Gamby
Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby.continue reading
Bimodal IAM may be a new term, but this new way to use user credentials should probably already be in practice among secure organizations.continue reading
Reviewing credential dumps could potentially save identity information from being stolen and used in a data breach. Expert Randall Gamby explains why...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.