Two recommendations come to mind. One is to establish a good security and compliance awareness program. Generally,...
if people are told not to do something -- like access another person's account without proper authorization -- they'll comply.
Second, for extremely sensitive data applications, use two-factor authentication. Username/password authentication in an SSO environment is much riskier than two-factor authentication, as you note. And two-factor authentication doesn't mean all users have to carry a smart card; tokenless two-factor authentication services are readily available and not as expensive as their hard-token counterparts.
But the biggest recommendation I have to offer is to do a market study on whether hardening single sign-on environments is even necessary. (Ask the single sign-on vendor(s) you're working with to help with this.) Generally, organizations are able to implement single sign-on internally with few to no issues of compromise using username/password schemes. Also, be sure to discuss security concerns with the senior managers to better understand what their actual fears are and address them directly.
Dig Deeper on Single-sign on (SSO) and federated identity
Related Q&A from Randall Gamby
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses.continue reading
Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most...continue reading
A self-managed HSM appliance may be the safer external key management system to use with your organization's encryption keys. Here's why.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.