Conversation

Notices

1. Embed this notice
   Brian Anderson (btanderson@infosec.exchange)'s status on Friday, 13-Jan-2023 19:50:31 JST Brian Anderson

   in reply to

   • SwiftOnSecurity

   @SwiftOnSecurity SSO is one of those terms where the someone said “easier for users” but the business heard “easy to implement” and therefore dispensed with architecture and planning. It then follows that it gets deployed unevenly, incompletely,with wildly different user experiences across heterogenous, hybrid and legacy apps and auth proxies until IT just throws their hands up. It takes a lot of planning and communication to make SSO work well past a few apps.

   • Embed this notice
     SwiftOnSecurity (swiftonsecurity@infosec.exchange)'s status on Friday, 13-Jan-2023 19:50:33 JST SwiftOnSecurity

     Note this is a choice some IT person made years ago and nobody realizes is optional, or something is actually broken and people just got used to it. Re-Auth could be entirely seamless if they wanted, or only enforced for certain apps. This is not intrinsic.

     Something I see a lot is people accepting bad IT experiences as mandatory. Like this is life, get on with it. But this isn't remotely true.
     It's a choice, sometimes just not a choice an organization realizes it has. I have to be the person calling bullshit on stuff because I know. Because I understand what's normal outside the org, or I have literally done their job before as an IT Generalist.

     The business malaise in accepting deteriorated user experiences is frankly shocking.
     You're being led like a dog by people who aren't being challenged to do better. Who often are not stupid and can do better, but have no mandate to venture it.

     Jake Hildreth (acorn) :blacker_heart_outline: repeated this.