Skip to Content
Endpoint and Identity

What is SSO (single sign-on)?

SSO (Single Sign-On) is the authentication method that lets a person sign in once and reach several applications without typing the password again in each one. Instead of a different password for every system, the person identifies themselves a single time, with a central identity provider, which passes a secure proof for the other applications to trust them.

Zamak TechnologiesUpdated on July 11, 2026

How SSO works

Instead of holding a password in each application, SSO concentrates the identification in a single identity provider. The applications come to trust a proof it signs, not a password of their own.

1

The person requests access to an application

When opening a system, instead of asking for a password of its own, the application forwards the request to the central identity provider.

2

The provider checks the identity once

This is where the identity is truly verified, almost always with a second proof (MFA). Once done, it does not have to be repeated for each application.

3

A secure token is issued

With the identity confirmed, the provider generates a signed, temporary proof, the token, which attests who the person is without exposing any password.

4

The applications trust the token

Each system accepts the token and grants access. The person moves between applications without typing the password again, and there is no separate password to leak in each one.

Source: N-able Cyber Encyclopedia (definition and authentication flow).

Signs that a company needs SSO

  • People juggle dozens of different passwords, stick notes on the monitor and reuse the same password across systems to cope.
  • The help desk spends part of the day resetting forgotten passwords, and each reset is a moment when a fraudster can impersonate the user.
  • When someone leaves the company, access has to be hunted down account by account, and almost always one is left forgotten and active.
  • There is no clear way to know who has access to what, because each application keeps its own list of users and passwords.

SSO, password managers and MFA: how they fit together

  • SSO (single sign-on) A central identity opens several applications. It cuts the number of passwords to protect down to one, and gives a single place to require MFA and to cut off access when someone leaves.
  • Password manager Stores many different passwords in a vault and fills them in for you. There is still one password per application, just organized. It helps, but it does not concentrate the identity or the access cut-off.
  • MFA (second verification) The extra proof beyond the password. In SSO it is essential: because a single identity opens everything, that identity has to be protected by MFA, always.
  • The risk SSO concentrates If the single identity is stolen and there is no MFA, the intruder gets into every application at once. That is why SSO without MFA trades convenience for danger.

Why too many passwords became a risk

30%
of devices found in credential-stealing malware logs were corporate-managed devices (Verizon DBIR 2025)
22%
of breaches start with a stolen credential, the number one entry vector (Verizon DBIR 2025)
$ 4.44M
average cost of a data breach (IBM 2025)

Each person in a company piles up dozens of passwords, and the human way out is always the same: reuse the same password across systems and write it down wherever is easiest. One of those reused passwords leaking is enough for the attacker to try it everywhere, and that is why a stolen credential is the number one way in (22%, Verizon DBIR 2025) and the human element shows up in 60% of breaches (Verizon DBIR 2025). The scale of the problem is clear in one figure: of the devices found in credential-stealing malware logs, 30% were corporate-managed devices (Verizon DBIR 2025). SSO attacks the root: it reduces many passwords to a central identity, protected by MFA, that the company can strengthen and revoke in one place. Done without MFA, though, it concentrates the risk instead of reducing it, while a breach still costs an average of $ 4.44 million (IBM 2025).

How to adopt SSO safely

SSO only delivers what it promises when the central identity is well protected. Without that care, it swaps many fragile doors for a single door that is far too valuable. What separates one from the other:

  1. MFA on the central identity, alwaysBecause one login opens everything, that identity needs the second verification. SSO without MFA concentrates the risk instead of reducing it.
  2. Start with the most-used applicationsConnect the day-to-day systems first, where password reuse is highest. The security gain shows up quickly.
  3. Cut off access in one placeWhen someone leaves, turning off the central identity removes access to every application at once, with no account-by-account hunt.
  4. Take care of availabilityBecause everything depends on the identity provider, choose a reliable service with a plan for downtime. A well-run central identity is more resilient than dozens of loose logins.
  5. Keep the other layersSSO organizes the identity, but it does not replace endpoint protection or email security. It is one piece, not the whole defense.

In practice

If an employee left today, how long would it take to cut their access to every system? With single sign-on and MFA, it is one click; without it, it is a hunt, and the forgotten account becomes an open door.

How Zamak handles single sign-on

Zamak Technologies concentrates the identity into a single sign-on protected by a second verification (MFA), to reduce the number of passwords that can leak and give the company one place to strengthen access and cut it off the moment someone leaves. A good starting point is the cybersecurity diagnostic, which shows where a company still relies on many loose passwords. It is part of Cybersecurity in the Zamak Method.

Frequently asked questions about SSO

What is the difference between SSO and a password manager?
A password manager stores many different passwords in a vault and fills them in for you: there is still one password per application. SSO replaces those passwords with a central identity that opens several applications with a single login. The manager organizes; SSO concentrates the identity in one point, protected by MFA.
Is SSO secure? Doesn't it increase the risk?
SSO is secure when the central identity is protected by MFA. Without MFA, it concentrates the risk: a single stolen password would open everything. With MFA, it reduces the risk, because there are fewer passwords to leak and one place to strengthen and revoke access.
Is SSO the same as MFA?
No, and the two go together. SSO decides how many passwords you type (ideally one). MFA decides how many proofs you give beyond the password (two or more). SSO organizes access; MFA makes sure it is the right person. The recommended standard is SSO with MFA.
What happens if the identity provider goes down?
Because SSO concentrates access, an outage of the provider can block the login to several applications. That is why choosing a reliable service and a plan for downtime is part of good SSO. The gain in security and control usually outweighs that risk, when it is well managed.
Is SSO worth it for a small company?
Yes. The smaller the team, the more people pile up passwords and reuse them. Delivered as a managed service, single sign-on with MFA is within reach without a large IT team, and it makes cutting off access when someone leaves far simpler.
Do I have to replace all my systems to use SSO?
No. Most business applications already speak the single sign-on standards and connect to a central identity provider. Adoption is usually gradual: it starts with the most-used systems and grows, without replacing the applications.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Network and Access
Securing the Use of AI
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake
Vulnerabilities and Security Testing
Vulnerability ManagementPenetration Testing (pentest)Vulnerability ScanningBrute-Force AttackSQL InjectionCross-Site Scripting (XSS)SAST and DAST