Imagine an IT-environment with full-blown SSO with primary accounts that have the same password as somebody’s home computer, combined with passwords that are way to short (anything less than 12 positions is short) and are kept in an spreadsheet on a computer without disk-encryption. And now imagine that such password gets compromised and all extremely sensitive data can be accessed on your corporate network through that one account, just because you implemented SSO.
Data classification ethics
Public data may be read by at least anyone in the organization. It does not mean it needs to be readable to everyone, but it might be just as well.
Stepping up your SSO
Whenever a user accesses information in a higher level category, you will need to ask for a new 2FA-code.