Imagine an IT-environment with full-blown SSO with primary accounts that have the same password as somebody’s home computer, combined with passwords that are way to short (anything less than 12 positions is short) and are kept in an spreadsheet on a computer without disk-encryption. And now imagine that such password gets compromised and all extremely sensitive data can be accessed on your corporate network through that one account, just because you implemented SSO.
Data classification ethics
Public dataPublic data may be read by at least anyone in the organization. It does not mean it needs to be readable to everyone, but it might be just as well.
Corporate dataThe second one is corporate data. Corporate data is data that may not be read by everyone in the organization. This type of data is important for the business to function, but it lacks protection of laws and it is also not intellectual property.
Secret dataThe third one is secret data. All personal identifiable information (PII), intellectual property (IP), and all other information that is subject to law or regulators must be considered as secret data. Most often of the time you can find the crown-jewel data in this category. Think about information that is vital to stock-trading and may not leak due to regulators and think about personal information of your customers that is subject to the EU Privacy Directive.
Stepping up your SSO
Whenever a user accesses information in a higher level category, you will need to ask for a new 2FA-code.
There is no need for re-asking the password, just the code from the authenticator app, physical token, YubiKey, SMS or whatever you use for 2FA. This mechanism prevents that when a password gets compromised, that all data can be accessed without further obstruction. 2FA also helps users to detect (in case of SMS) login attempts on their accounts.