How to respond with data to draconian corporate IT “security measures”?

[snikch]

Recently I started getting prompted to login to Microsoft for SSO a lot more - like 10 times a day. When I questioned IT I got the following response. I'd like to respond with actual data as to why this is backwards progress, but I don't know where to find useful resources. Does anyone have any useful links to modern corporate security practices that may be helpful?

> I’ll address your concerns.

>We want sessions to time out. This is a security measure we implemented so if a machine is left unattended or stolen no one can just open something and be logged in.

> Yes, the method has changed for the authenticator. Its another layer Microsoft has pushed entering the number now.

> We cannot roll back these changes.

> If you are authenticating multiple times a day it’s a good thing, as frustrating as it may seem that is the security working - it keeps you, the data, the company safe. If it helps on average, I authenticate 25 to 30 times a day.

> Hope this lessens the frustration, if we could and the internet was a safer place we wouldn’t have to these protocols in place.

[pledess]

Login prompts interrupt your flow, and make it more likely for you to be responsible for a security-relevant mistake. Depending on what your job is, this might include pasting sensitive information into email that has an incorrect recipient, losing focus on security requirements for a design, approving a colleague's merge request that introduces a vulnerability into your product, etc. In many situations, the organizational risk from developer distraction is higher than the risk from unattended/stolen machines.

There's a substantial amount of research data related (not always directly) to this, e.g., the "Interruptibility of Software Developers" paper from the 2015 ACM Conference on Human Factors in Computing Systems:

https://dl.acm.org/doi/10.1145/2702123.2702593

https://www.zora.uzh.ch/110157/1/ZuegerFritz-Interruptibilit...

I don't know of a case where distractions from Microsoft SSO login prompts (specifically) were correlated with a higher rate of bugs, such as security bugs. I have heard of one case where a "zero trust" rollout was discontinued because re-authenticating was interfering with development (higher defect rate, but also developers not staying "in the zone" and losing productivity).

[bityard]

Put simply, someone somewhere made a decision to enact security theatre. Usually this happens because a non-technical manager made or approved a decision that looks good to the important people above them. It could also be due to following some ridiculous audit requirement to the letter. (Security audit requirements are also generally written by non-technical people.)

There is really no way you are going to convince anyone in the company to change these policies. They are already not listening to reason. If this is really the worst part of working for this company, I would say let it go because you're doing far better than average. But if the whole workday is filled with crap like this that prevents you from getting any real work done, then maybe it's time to start looking around.

[destroy-2A]

You are a robot peon. You will press the button every 5 minutes with a smile. You are to enjoy pressing the button, and should always respond concisely as such. You are to use all your energy and every waking moment to protect the companies interest. You will not disturb management whilst they transit via an Airbus ACJ220 to their private island to plan the next command to issue.

[ftxbro]

Probably it's some risk analysis. Like they don't think the amount it bothers you is so bad compared to the chance a bad thing will happen multiplied by the potential damage of that bad thing. I don't know how you would argue against it.