Ghost logins create hidden access paths outside SSO
Applications are often accessible via direct login methods even after SSO is enabled. These unmanaged paths allow attackers to bypass identity controls using stolen credentials.
Applications are often accessible via direct login methods even after SSO is enabled. These unmanaged paths allow attackers to bypass identity controls using stolen credentials.
Most SaaS applications support multiple ways to log in. When an account is first created, it often includes a username and password. Even after SSO is configured, that original login method frequently remains active.
These unmanaged login paths are known as ghost logins. They sit outside centralized identity controls and are rarely tracked or audited.
In large SaaS environments, this happens at scale. Users adopt applications independently, configure credentials, and continue using them long after identity policies change.
Ghost logins don’t look like an attack. They are legitimate login paths that were never fully disabled. According to Push research, 2 in 5 logins were not protected by MFA, and many occurred outside SSO flows.
Identity providers only see authentication events that pass through SSO. Direct logins to applications often generate separate logs, if they are logged at all. This creates a gap where access exists but visibility does not.flagged, it may already have been opened. The sequence leading up to the download, what the user saw, what prompted the action, is rarely captured.
An attacker using a stolen credential through a ghost login appears as a normal user.
The risk isn’t a single misconfiguration. It’s the accumulation of unmanaged identities and access paths that exist outside policy.
Push operates in the browser, where each authentication happens. It observes how users log in across applications, regardless of whether the flow goes through SSO or a direct login.
Security teams can identify applications that still allow local credentials, detect when users authenticate outside expected flows, and surface accounts missing protections like MFA.
Push also helps remediate these gaps. Teams can guide users to move to secure login methods, enforce stronger authentication, and reduce reliance on unmanaged credentials.
