[gkop]

Article does a decent job of calling out some usability issues with SSO, but doesn't investigate the impact of these usability issues on security. Security and usability are often in tension - if we're going to improve usability, our proposed changes also need to improve security, or they're dead on arrival. (which is incidentally how we got to this place of horrendous usability)

Indeed, there are some material security issues with the real life corporate SSO experience described in the article. For example, users habituate to frequent authentication requests, so they click through them blindly, which opens the door for phishing.

[Aeolun]

My pet peeve is having to change my password every 3 months. I can practically guarantee all the employees use some form of incrementing number.

[seanp2k2]

1. Try passwords until you get locked out

2. Engage with IT to unlock

3. Reset password flow

4. Iterate on new password as the complexity requirements you fail are slowly revealed to you

5. “Password cannot be the same as previous n passwords”

6. End up with an even more forgettable variation

7. Sign in again across all your now-invalid sessions across a dozen apps and devices.

8. Apply liberal amounts of 2FA + push-based and email or txt confirmations to the above for extra hate from users.

9. Repeat forever because obviously there is no better way to do this, but GraphQL and NFTs are going to save the world, let’s work on those instead!

[gkop]

Don't get me started...

[Sebb767]

> Security and usability are often in tension - if we're going to improve usability, our proposed changes also need to improve security, or they're dead on arrival.

I'd actually say it's the other way around. One of my favorite quote related to that is "security at the expense of usability is at the expense of security". If you force users to rotate passwords, they'll use some form of continuous passwords and/or stick them with notes to their monitors. If you'd need to sign in all the time, users will be less careful and choose easier passwords. If it takes 20 seconds to authenticate at the front door, it will only take a few days until someone puts a brick there to keep it open. To improve security, you'll absolutely need to consider the UX; improving the UX while not caring about security, OTOH, works quite well in my experience (until it blows up in your face, which might be years away or even a moral hazard).