[pyrale]

At some point, your user also has right to make their own policies. Imagine your banker requiring you to take a drug test before they let you do any action, would that be fine by you?

If you were talking about your employees, of course, it's less of an issues, but you are still open to them misusing other solutions: in the end, invasive security policies in a business where people can also use service accounts is a recipe to have people build backdoors in their own security. Good security is only as secure as it is convenient for users.

When I was working in banking, people had physical card readers that would identify them. Of course, some people still forgot them sometimes, but it was also necessary to get out of the desks.

[gkop]

I'm not following you but very curious!

I have no issues getting my enterprise customers to configure SSO, so there's no practical reason for me to support password login.

In the consumer space, which is not my area of expertise, it seems that combinations of "passwordless" and OAuth are working for successful companies.

Where is the last bastion of places where a user can justifiably demand a password login option?

What do you mean by invasive security practices?

[pyrale]

(I made some edits to the previous post, as I figured out you may have talked about people working with you rather than clients)

> I have no issues getting my enterprise customers to configure SSO, so there's no practical reason for me to support password login.

I'm not really sure what you mean when you say SSO. We use Google workspace at work, and use the sso in several of our products. Still, since workspace admin prompts us to relog every damn time, some colleagues use the service account to perform workspace actions. That's a hole of course, as the service account is not supposed to be used for user actions, but it's also more convenient.

Another example, of which I'm guilty, was my previous work's VPN 2FA policy, which my team conveniently skipped with a script doing the oauth call. Of course, not everyone did the script properly (because prompting for your password takes a couple more lines), and so some of us may have had their credentials in the bash file.

This kind of shortcuts is hard to avoid for technical users, and so the golden rule for security in my opinion is that it should be easier to do the right thing. Unfortunately, each person has a different definition of friction, so it's not an easy topic.

> What do you mean by invasive security practices?

It's obviously a personal criterion. To me, invasive starts when people want to get in my phone. It's not really arbitrary, since my phone is a piece of garbage that has no security, but it's a personal thing since others may prefer to have a phone solution.

[gkop]

We certainly agree on the importance of making it easy and convenient for the users to behave well. The traditional example here is onerous password requirements that lead to post-it notes.

> Still, since workspace admin prompts us to relog every damn time, some colleagues use the service account to perform workspace actions. That's a hole of course, as the service account is not supposed to be used for user actions, but it's also more convenient.

This is a great point that I hadn't considered. Thank you!