SSO is not a silver bullet: Why most organizations augment it with password management

With the expansive growth of cloud services, many enterprises opt to manage employee authentication with Single Sign-On (SSO). But SSO doesn’t solve all authentication challenges — far from it.

SSO helps consolidate authentication between applications, simplifying users’ experience by reducing the number of logins and passwords they have to remember, and increasing enterprise security by ensuring strong authentication for more applications. Today, most enterprises use one of two assertion protocols to implement SSO, either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).

In a recent survey of IT admins and business leaders, Bitwarden found that the vast majority of organizations are using SSO to secure their applications, but most still have many applications that are unsupported by SSO. These respondents noted that legacy applications often do not support SSO, and many SaaS application providers only provide SSO with their most expensive “enterprise” subscriptions. 

As a result, many applications are not covered by SSO. These are not trivial applications, either. Many respondents rate the security risk of non-SSO applications as considerable, and a fifth have already seen security incidents related to these applications.

In short, as one respondent said, SSO is not a “silver bullet.” It needs to be complemented with another solution, and a password manager provides the best of both worlds, according to many respondents.

Key findings

• 89% of organizations use SSO, but the majority (57%) have up to 50 applications that don’t yet support it.

• Over half (62%) of respondents say SSO alone is not enough for their organization to achieve secure authentication.

• Shadow IT applications are the top challenge for organizations when securing authentication to non-SSO applications, cited by 65%. 

• Respondents say that Bitwarden Password Manager is effective at securing applications not supported by SSO, with 85% citing increased security and 83% reduced credential risk as the top benefits, and 70% pointing to streamlined logins.

SSO has increased in popularity since the dawn of the cloud era. It improves organizations’ security postures and enhances end-user experience. So it’s no surprise that 89% of the respondents in our study say their organizations use SSO.

One reason SSO makes such a difference is the sheer volume of applications that businesses need to support. Two-thirds (66%) of organizations manage more than 100 applications across the organization, and 27% of organizations manage more than 300.

However, many of those applications don’t support authentication through SSO. The majority of organizations in our survey (57% of respondents) say that they have up to 50 applications that don’t yet support it, and 14% have more than 100 applications unsupported by SSO.

“SSO simplifies our users' access by allowing them to authenticate once and gain access to multiple systems,” said one respondent. “However, it doesn’t cover every application, such as legacy systems, third-party tools, or shadow IT.”

Microsoft Entra ID is by far the most popular choice for implementing SSO, with 40% of respondents using it to secure authentication in their organization. Another 12% use Okta, and 7% use Google Identity.

Regardless of the platform used, and despite its limitations, SSO provides significant benefits. As one leader put it, “Using SSO for all supported applications centralizes authentication, simplifies lifecycle management, and strengthens security.”

With so many applications still un-supported by SSO, it’s no surprise that well over half (62%) of respondents say that SSO alone is not enough for their organization to achieve a secure authentication posture.

The risk of non-SSO applications is real. Almost one fifth of respondents (18%) stated that their organization has experienced a security incident related to an application or account that was not secured by SSO. Surprisingly, slightly more (19%) don't even know whether they have experienced an incident or not, likely due to the fact that many of these non-SSO applications are “shadow IT,” outside the control and oversight of IT teams. 

As a result, most organizations use additional methods to ensure application security. Password management and multifactor authentication (MFA) solutions are the top techniques organizations use to secure applications outside of SSO. 

One respondent summarized their approach like this: “Ensure the SSO provider is used wherever possible, enforce strong 2FA, and use the password manager as a secure complement for accounts that cannot be integrated with SSO.”

Additional security layers, plus proactive communication and education, are also crucial to ensure that employees understand authentication best practices.

“SSO isn't a silver bullet,” one respondent said. “Make sure additional controls are in place to protect application data.”

If you think that SSO covers all the “important” applications and that those outside its coverage are nonessential to security, guess again.

One quarter of respondents rated applications that are unsupported by SSO as posing “considerable risk” or “high risk” to their organizations. They noted that many were applications with a high level of impact on the business, contained sensitive data, could be easily compromised by weak passwords, and in some cases lacked support for MFA.

Another 35% said these applications were at least “medium risk,” meaning a total of 55% felt that non-SSO applications were medium to high risk to the organization. None said that there was no risk at all from apps uncovered by SSO.

“Not all applications that you might consider to be business critical will support SSO out of the box,” one respondent said. “Changing that takes time. In my experience, business users don't tend to choose applications for their SSO capabilities. Forcing it upon them causes shadow IT. “

Even major cloud applications sometimes lack the SSO support that organizations need. As one IT leader put it, “Many ‘mature’ SaaS platforms are still lagging behind for SSO, and almost every org still has legacy authentication needs that also should be well-governed.”

This risk is not merely theoretical. As noted above, 18% of respondents say that their organizations have experienced a security incident due to the lack of SSO support. 

“Even if you're very good at plugging your apps into SSO, you will still have apps that can't be plugged in, like legacy apps and external apps (not managed by your company),” said one respondent.

The biggest problem for IT managers seeking to achieve a secure authentication posture for their organization are “shadow IT” apps installed by business users outside of IT oversight and without IT support. 

Sixty-five percent of respondents cited shadow IT as their top challenge when trying to secure authentication for applications that do not support SSO.

The #2 challenge, cited by 43% of respondents, was employee cooperation.

Overcoming those two obstacles requires clearly communicating the advantages of SSO and the necessity (and convenience) of using a password manager for applications that don’t support SSO.

One respondent noted: “SSO doesn’t cover every application, such as legacy systems, third-party tools, or shadow IT. That is where a password manager complements SSO by securely storing and managing credentials for accounts outside the SSO ecosystem.”

Another respondent referred to the way a password manager works as a complementary solution to help ensure complete security. “Treat SSO as your primary access controller for integrated applications and the password manager as a mandatory safety net for everything else—specifically legacy apps, shared team secrets, and shadow IT—to create a complete defense-in-depth strategy.” 

With a password manager, end users are able to secure any credentials they require for their day-to-day work, including non-SSO applications unknown by the IT team (shadow IT).

Bitwarden Password Manager is a powerful and convenient solution that complements SSO and ensures security for all applications — those covered by SSO as well as those that aren’t.

“Bitwarden supports us in accounts where SSO is enabled and adds an extra 2FA option in the form of an authenticator or passkeys,” said one respondent.

Over 3/4 of respondents (77%) say that Bitwarden Password Manager is “effective” or “very effective” at securing applications not supported by SSO.

Eight-five percent noted that Bitwarden Password Manager delivers increased security for their organizations when using it alongside SSO, while 83% say it has reduced their organizations’ credential risk.

It’s a convenient solution that makes life easier for users, too. Seventy percent of respondents say their users benefit from streamlined logins after adopting Bitwarden Password Manager.

“There are some things that SSO just doesn't cover,” said one. “Using Bitwarden with an organization account lets users share credentials securely and even configure MFA in some cases”

Another respondent raved that they use Bitwarden for their personal passwords, too. “It's the best of both worlds! I use Bitwarden for both my personal and professional passwords, and I encourage my users to do the same.“

Bitwarden surveyed 93 enterprise customers, including 74 IT admins, 11 executive leaders, and 6 department heads, from October 28th, 2025 to January 6th, 2026.

To find out more about how Bitwarden can help secure authentication to non-SSO applications, start a free 7-day business trial today.