[gruez]

You mean SSO? I think that's slightly disingenuous because it's still possible to be perfectly secure with username/password login. Sure, having SSO might prevent Barbra from accounting (who failed the last 3 phishing training sessions) from getting phished, but that's the company's problem, not the vendor's.

[JimDabell]

When a person leaves an organisation, it’s difficult to find all the various team accounts they have been added to in order to remove them. So you end up in a situation where people no longer in the organisation frequently still have access to anything non-SSO.

That’s a very obvious, legitimate security issue, why are you accusing people of being insincere about it?

[gruez]

>When a person leaves an organisation, it’s difficult to find all the various team accounts they have been added to in order to remove them.

Again, that's inconvenient but doable, just like phishing prevention.

>That’s a very obvious, legitimate security issue, why are you accusing people of being insincere about it?

I'm not denying it's a security issue, any more than I'm denying that phishing isn't a security issue. I even specifically mentioned the possibility of employees that fail phishing training. I'm objecting specifically to the "ransom" framing, which is a pejorative way to imply that companies have a duty to offer all security features for free.