Conversation

Notices

1. Embed this notice
   Royce Williams (tychotithonus@infosec.exchange)'s status on Monday, 30-Jan-2023 00:53:29 JST Royce Williams

   The first step of the VA authentication flow is just ... wow

   • Embed this notice
     Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Monday, 30-Jan-2023 00:53:17 JST Jake Hildreth (acorn) :blacker_heart_outline:

     in reply to

     @tychotithonus How would you improve this? I have two ideas:

     1. Ask for an email address. The site will search for active accounts in all the available IdPs and redirect to it for the rest of the flow.
     2. Ask the user a series of questions to determine which IdP to use.

     Neither option is great, but both seem superior to whatever this is.

   • Embed this notice
     Matthew Miller :donor: (iamkale@infosec.exchange)'s status on Monday, 30-Jan-2023 01:05:15 JST Matthew Miller :donor:

     in reply to

     • Jake Hildreth (acorn) :blacker_heart_outline:

     @horse @tychotithonus Not putting Login.gov front-and-center feels really short-sighted to me. I think it's a surprisingly great SSO option for a government site, and wonder why more organizations like the VA don't/aren't required to standardize on it.

   • Embed this notice
     Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Monday, 30-Jan-2023 01:07:08 JST Jake Hildreth (acorn) :blacker_heart_outline:

     in reply to

     • Matthew Miller :donor:

     @iamkale @tychotithonus I just noticed MyHealtheVet shows up twice also. Yuccccck.

     I agree login.gov is pretty decent.

   • Embed this notice
     Royce Williams (tychotithonus@infosec.exchange)'s status on Monday, 30-Jan-2023 01:23:28 JST Royce Williams

     in reply to

     • Jake Hildreth (acorn) :blacker_heart_outline:

     @horse Yeah, initial asking for email and routing accordingly would be solid. Though I wonder how many vets have no email address at all.