[ZuLuuuuuu]

SSO + 2FA is more secure in practice than letting people create/manage their own accounts at every service. Because:

- You can force a password policy centrally (minimum 12 char + uppercase/lowercase + number etc), for every service the company is using that supports SSO.

- You can force 2FA, again for every service the company is using that supports SSO.

- You can disable an account immediately from the central admin panel as soon as you notice an account is stolen.

- When the employee leaves the company, you can delete their account centrally from every service, so there are no inactive company accounts registered to various services.

[Sammi]

Yes good points.

I have to argue the second part of this though

> minimum 12 char + uppercase/lowercase + number

The first minimum char counts rule is great. You increase the entropy exponentially with every added char.

But the second part when you make rules about each individual char, then you are actually decreasing entropy. The space of possibilities actually shrinks every time a rule defines what a char must or mustn't be. An attacker now knows that certain things are guaranteed, and can tune their brute force algorithm to expect a big ascii letter, a large ascii letter, a latin number, an ascii special char. They now have a much smaller search space than before, when each char could be any utf8 char. You're basically leaking exploitable information about the password by having character rules.

[dahart]

The alternative in practice is not all utf8 characters, the alternative is lowercase letters. If there are no rules that require uppercase and alphanumerics, or length, then many people will use passwords that are easy to type, and short, and not impose security difficulties on themselves. The alphanumerics + case rule is addressing human behavior, and effectively does increase the search space (by a lot) for most people, not decrease it. It would be nice if most password entries could detect other utf8 chars and allow them to substitute for cased alphanumerics, or if longer passwords could relax the rules. The point is to meet a threshold of security against attackers, and the blanket rule does that but ignores some viable and convenient alternatives.

[cocoto]

You also decrease entropy by having a minimum length rule. The point of these rules is only to forbid weak passwords.

[tetha]

> - You can force 2FA, again for every service the company is using that supports SSO.

This can also be a way to balance security and user convenience, which should not be underestimated.

If a user has to do the MFA dance (Duo Pushes, TOTP tokens, ...) once a day for a dozen different services, users will rightfully riot and start looking for workarounds of questionable security. On the other hand, you could have one MFA dance in the morning to get your keycloak session, it is kept alive by normal usage and then it doesn't bother you anymore for the day. Much lower friction.

Another thing is auditing and analysis. With central logins, you need one service with good audit logging, and you need to understand and alert on one log if a user suddenly tries to login from another continent, hundreds of times a minute. Some of these services have this built-in.