What is the SSO Tax?
If you work in cybersecurity (or if you’re just an enthusiast), the term single sign-on, or SSO, is one you’re likely all too familiar with. From increased productivity and lower IT costs to an overall tightening of security, the benefits of SSO are well known. SSO expedites the user login process, enabling users to log in to multiple applications using one set of credentials, usually through an identity provider (IdP) such as Okta or Microsoft Entra ID.
In recent years, software vendors have used the importance of SSO to their advantage, building SSO-implementation fees into their pricing—a practice that’s come to be known as the “SSO Tax.” Vendors typically package these fees into an “enterprise” pricing tier, requiring companies seeking to use this core security feature to pay extra for the privilege. Think of it like a skydiving agency charging customers an additional fee to deploy their parachutes. SSO is viewed as a necessity, not a luxury feature, for security teams, so the SSO Tax is a major cause of frustration for companies of all sizes and budgets.
To get an idea of how many software vendors are upcharging for this security feature (and how much), check out SSOtax.org’s wall of shame.
Why is the SSO Tax problematic?
Fundamentally, the SSO Tax is bad business. By locking away core security functionality behind high prices, software vendors are forcing small and mid-market companies to choose between paying prices they can’t afford or sacrificing their security posture and end user experience.
SSO provides a foundation on which to layer stronger authentication measures like multi-factor authentication (MFA) and timed authentication sessions, and so hiding it behind a pricing wall also makes it hard for small businesses to implement more advanced security controls.
While smaller businesses using only a few applications may be able to get by without SSO, the need really becomes apparent when employee counts increase and, with them, the number of apps and associated login credentials. As businesses scale, they face a slew of identity-based threats associated with multiple logins and weak passwords that SSO can mitigate.
The motivation behind the SSO Tax
The practice of packaging SSO capabilities into enterprise pricing tiers is driven by the same general motive that drives all business: profit. While it’s important to acknowledge that building out the functionality to provide SSO support does involve some vendor costs, the retail price point is not reflective of the actual costs incurred, with some vendors charging a percentage differential in the thousands between base and enterprise pricing.
Motivation for charging the SSO Tax falls into three related revenue buckets:
- Offset build and maintenance costs: Vendors recoup (and then some) the costs of building out and maintaining SSO support by charging for it.
- Drive upsells: Placing SSO support behind an enterprise paywall allows vendors to upsell customers to a higher pricing plan. SSO is a necessity for large enterprises, and an SSO paywall ensures they’ll spend big money on it. But it also places smaller businesses, for whom SSO is equally important, in the position of having to purchase a higher pricing package than they otherwise would.
- Achieve higher profit margins: By locking SSO behind the highest tier of product pricing, vendors drive almost pure profit.
How to combat the SSO Tax
Ultimately, it’s on buyers to realize and push the view that SSO isn’t a luxury feature but a critical piece of security functionality that should be included in base pricing. Without SSO, companies leave sensitive business and customer data more open to risk from bad actors. SSO allows companies to mitigate the use of weak or duplicate passwords and enforce stronger authentication controls like MFA, not to mention reduce the manual lift of managing password resets and employee offboarding across numerous separate applications.
While there’s no immediate solution to the problem of the SSO Tax, companies can fight against it. Stay up to date on the “Wall of Shame” to know just which vendors buyers can put pressure on to remove their SSO Tax and instead include SSO support in their base product pricing.
Security beyond SSO
While SSO is a core security requirement for companies of all sizes, it is far from a perfect layer of protection. Bad actors are getting more intelligent and finding new ways to abuse vulnerable authentication tokens and compromise user identities, using malware, phishing, and session hijacking to achieve that end goal. Even SSO providers such as Okta have been compromised directly, leading to incidents such as the HAR files debacle.
It’s important to shore up security beyond SSO by enforcing strong access controls. Getting visibility into who has access to what and reducing excessive or unused privileges will decrease your attack surface area—so if credentials are compromised by an attacker, the attacker won’t get very far. Implementing just-in-time (JIT) access for sensitive resources and working toward zero standing privileges overall is the best way to strengthen your security posture.
To learn more about how ConductorOne can help you get visibility into your access environment and lower standing privileges, check out our product tour or chat with us!