Single sign on: why one login will define the future of frontline work

The hospital that stopped asking nurses to log in

In 2017, researchers published a peer-reviewed evaluation in the International Journal of Medical Informatics of a workstation single sign on rollout across nineteen community hospitals in the United States. Before the rollout, clinicians on roaming shifts had to type a username and password into every shared workstation they touched, dozens of times a shift. After the rollout, a swipe of an identification badge handled successful authentication in under a second.

Across the nineteen sites, time savings landed at roughly 1,461 hours per facility per year for physicians, nurses, and ancillary staff, with an estimated recurrent financial return of around $92,000 per facility annually (Hyman, 2017).

That study is worth dwelling on because it is one of the few peer-reviewed looks at what happens when you take password fatigue seriously in a deskless, shift-based environment. Hospitals are not factories or distribution centres, but the structural pattern is the same: many users, shared workstations, mobile movement, life-or-death pressure on time. The nurses in that study were not asking for a "better experience." They were asking to stop wasting the most finite resource they had: attention.

Most frontline organisations are still asking their people to spend that attention on login screens.

How single sign on works

Single sign on, often abbreviated SSO, is an authentication process that lets a user sign in once and gain access to multiple applications without entering separate login credentials for each one. This is how single sign on works in practice: a user logs in to a central identity provider, which verifies the user's identity, issues an authentication token, and passes that token to each connected service provider when access is requested. Single sign on authentication then unlocks the next application automatically.

In practice, three standards do most of the work.

Security Assertion Markup Language, usually written as SAML or sometimes (incorrectly) as "security access markup language," is an XML-based protocol that exchanges authentication and authorisation data between an identity provider and a service provider. When the user signs in to the identity provider, a SAML assertion — a digitally signed security assertion — is sent to the service provider, which grants access without a second login page.

OpenID Connect, often written as OIDC, sits on top of OAuth 2.0 and serves the same purpose for modern web applications and mobile apps. It is lighter than SAML and increasingly the default authentication protocol for cloud-native systems.

Active Directory, or more precisely directory server authentication via protocols like Lightweight Directory Access Protocol, remains the foundation of user authentication in most large organisations. Active Directory stores user credentials, user permissions, and group memberships. SSO solutions typically federate with Active Directory rather than replace it.

A modern SSO system uses these pieces together. The SSO process looks roughly like this: the user requests access to a web application, the service provider redirects the user's browser to the identity provider, the identity provider verifies the user's identity (often with multi factor authentication), an SSO token is issued, and the user gains access without a second login screen. The same token then unlocks subsequent applications for the same user, what people mean when they say "frictionless access."

This is the part most explainers stop at. The interesting question is what it does for the business.

Why single sign on matters for access management

A single sign on SSO strategy does three things at once, which is rare for a piece of enterprise infrastructure.

First, it consolidates access management. Instead of every system maintaining its own list of who can do what, a single identity provider becomes the authoritative answer to "who is this person, and what are they allowed to do?" That makes it dramatically easier to manage access, manage user permissions, and manage user access, and to enforce consistent security policies across multiple applications.

Second, it improves user experience in a way that is visible from the first shift. The user signs in once, and the friction disappears. Password resets, forgotten login credentials, and the small humiliations of locked-out accounts shrink. Gartner has long estimated that around 40% of help desk tickets are password-related, and Forrester puts the cost of a single reset at roughly $70 (Bleeping Computer, 2024). Multiply that by a thousand frontline employees with five or six work tools each, and the maths becomes uncomfortable. A user friendly SSO authentication flow is not a cosmetic gain. It is a recurring operational saving.

Third, it raises the floor on security. This is the part that often surprises people who think of SSO as a convenience feature.

The counterintuitive security posture of SSO

There is an old objection to single sign on: "If one credential unlocks everything, isn't that worse?" It is a fair instinct, but it misreads how attacks actually happen.

When employees have multiple passwords for multiple applications, they do not memorise sixteen unique strings. They reuse two or three, write them on the back of a badge, and recycle them across personal and work accounts. A 2025 analysis of 19 billion leaked credentials found that 94% were reused or duplicated across accounts. The security risks of multiple passwords are not theoretical, they are the dominant vector for credential stuffing and account takeover.

A well-designed sso solution reverses this. Because there is one credential to protect, that credential can be wrapped in serious controls: multi factor authentication, conditional access policies driven by user behaviour (user behavior, in some standards) and device posture, and centralised revocation the moment an employee leaves.

The SSO security model is not "one password to lose." It is "one identity to authenticate users properly, every time," with authorisation data, written as authorization data in international standards, passed between systems so user passwords never travel.

This is also where federated identity management enters the picture. Federated authentication lets a single identity provider issue assertions that third party websites and partner systems trust, without those partners ever holding user passwords. For organisations with contractors, franchisees, or temporary staff, federated identity management is what makes secure access at scale possible.

There is a structural point worth naming. The companies most vulnerable to credential attacks are not the ones with too few security tools. They are the ones whose security tools assume a desk, a corporate email address, and a managed laptop, none of which most frontline workers have.

The frontline problem that office-first SSO ignores

Most SSO implementation guides assume the user logs in on Monday morning at a desk, opens a browser, and stays signed in until Friday. That is not how operational employees work.

A retail associate clocks in on a shared till, swaps it with a colleague at break, and uses a personal phone for shift-swap notifications. A warehouse worker pulls up a pick list on a rugged scanner, then walks past a wall-mounted terminal to confirm a safety check. A nurse logs into a workstation, walks ten metres, logs into another, and walks back. Each of these moments is an authentication request, a login process office-first SSO was never designed for.

Three things break here. The login page itself, because typing a password on a touchscreen with cold hands is slow and error-prone. The recovery flow, because a frontline worker without a corporate email account cannot receive a reset link. And verifying user identities at scale, because identity verification for a desk worker leans on a known device and a known IP range, none of which apply to a shared device on no fixed network.

The result, in most organisations, is one of two failure modes. Either frontline workers share login credentials informally, which destroys auditability and creates real security risks, or they are simply excluded from systems they should have access to. Both are common. Neither is acceptable.

This is the gap that has held back the digital frontline for a decade. It is the gap that finally starts to close in 2026.

How to approach implementing SSO well

Implementing sso is not a project you finish. It is a posture you maintain. The organisations that succeed tend to do five things in roughly this order, and the same sign of success shows up each time.

They start with a clean inventory of every application a frontline worker actually uses. Not the official list, the real one, including shadow tools and the apps people open on their personal phones. If your sso provider does not cover them, your sso eliminates nothing.

They pick an identity provider with deep, native integrations into the systems that matter. A single identity provider that handles Microsoft 365 and Workday but cannot federate with the shift planning tool used by 8,000 retail staff is not solving the problem.

They invest in authentication methods that fit the work. Biometric login, badge readers, PIN-on-device, and short-lived sso tokens often beat passwords for shared and shift-based contexts. Multi factor authentication should be designed around what the worker actually carries. A good sso secure design treats the phone, the badge, and the body as legitimate factors.

They define consistent security policies in one place. The point of a central sso service is that the security posture is enforced once, not renegotiated per application. Conditional access, session length, and password management rules should live with the identity provider.

And they measure. Time-to-first-task on a new hire's first shift. Help desk tickets per hundred users per month. Password resets per month. Accounts revoked within 24 hours of a leaver. These numbers tell you whether your sso implementation is working, not the number of applications connected.

Flip Identity: built for people without a desk

A short note here, because it would be dishonest to write about single sign on for frontline teams without mentioning that this is part of what Flip is building. Flip Identity is Flip's digital identity layer for deskless workers, designed so that an employee can authenticate once with a method that fits their reality — a phone, a badge, a biometric — and then move seamlessly between communication, HR self-service, shift tools, and the systems they actually need to do their job. It removes the need for a separate corporate email address, integrates with the identity infrastructure most enterprises already run, and supports the same standards (SAML, OpenID Connect, multi factor authentication) you would expect from any serious access management product.

That is the whole pitch. The rest of this article is about the category, not the product.

Single sign on and the future of work

Here is where the conversation has to widen. Single sign on used to be an IT optimisation. In 2026, it is becoming the foundation of something larger.

When AI agents start acting on behalf of employees, like completing workflows, retrieving documents, or executing tasks across HR and operations. The question of whose authority they act under stops being abstract. An AI agent that submits a holiday request needs to know, beyond any doubt, that it is doing so for the right same user. An agent that pulls a payslip needs to authenticate against the same identity provider as the employee. An agent that triggers a shift swap must operate within the same user permissions and access control rules the employee themselves hold.

Identity, not interface, is the layer that matters next. The companies that have already consolidated their access management onto a clean sso architecture will find AI adoption straightforward, because the trust model is in place. The companies that have not will find every AI use case reopens the same authentication problem they failed to solve five years ago.

Better network security and better user experience are not opposing values. They are, increasingly, the same value.

Conclusion: one identity, then everything else

Single sign on is not the most exciting acronym in the enterprise stack. It will not be on the front of an annual report. But it is the quiet decision that determines whether your frontline workers spend their shift working, whether your help desk drowns in password resets, and whether the AI tools you are about to roll out have something solid to authenticate against.

The next decade of frontline work will be defined less by which apps a company buys and more by how cleanly its people can move through them. The organisations that understand this — and treat single sign on as infrastructure for the human experience of work, not just for IT — will be the ones whose employees feel the difference on the first day of the next shift.

Everything else follows from a single, well-protected sign on.

Sources: Hyman, S., Zieger, C., et al. (2017). An Evaluation of the Clinical and Financial Value of Work Station Single Sign-On in 19 Hospitals. International Journal of Medical Informatics; Password Reset Calls Are Costing Your Org Big Money (Bleeping Computer, citing Gartner and Forrester research).

FAQ - Single sign on