Auth/SSO

AUTH-02

Single Sign-On (SSO) Coverage & Enforcement

This control asks one thing: How consistently is Single Sign-On (SSO) enforced across workforce applications, including long-tail, legacy, and internally built systems?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Credential reuse and phishing attacks spread laterally across applications. Compromise of one low-value app enables access escalation.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Turns authentication from a liability into a durable security control.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Mandate that all new applications integrate with the enterprise IdP and prohibit new local authentication stores.

What reaching level 2 (Developing) unlocks

True centralized access control and policy consistency

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Fallback local accounts remain active
  • SSO is optional in some applications
  • Inconsistent enforcement across business units

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for AUTH-02 resolves to 6 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on AUTH-02?

This page is the teaser layer. The full rubric behind AUTH-02 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.