Two recommendations come to mind. One is to establish a good security and compliance awareness program. Generally,...
if people are told not to do something -- like access another person's account without proper authorization -- they'll comply.
Second, for extremely sensitive data applications, use two-factor authentication. Username/password authentication in an SSO environment is much riskier than two-factor authentication, as you note. And two-factor authentication doesn't mean all users have to carry a smart card; tokenless two-factor authentication services are readily available and not as expensive as their hard-token counterparts.
But the biggest recommendation I have to offer is to do a market study on whether hardening single sign-on environments is even necessary. (Ask the single sign-on vendor(s) you're working with to help with this.) Generally, organizations are able to implement single sign-on internally with few to no issues of compromise using username/password schemes. Also, be sure to discuss security concerns with the senior managers to better understand what their actual fears are and address them directly.
Dig Deeper on Enterprise Single Sign-On (SSO)
Related Q&A from Randall Gamby
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses.continue reading
Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most...continue reading
A self-managed HSM appliance may be the safer external key management system to use with your organization's encryption keys. Here's why.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.