They call it single-sign-on

but from the admin's perspective, it's much simpler (and that's all that really matters, isn't it?)

;-)
 
Not to oversimplify since I don't know the environment; but MS Edge will be able to transfer Microsoft credentials automatically where Firefox and Chrome may not.

Also, work from home make SSO harder because you can't trust every machine in the home. This often means that some SSO credentials have a specific life cycle after which they must be renewed.
 
Lol. I love it. For my office terminal I have three layers of passwords to enter. Takes forever. Not in patient rooms we do have single sign on with an ID badge that is chipped which is nice when it works but for my office space the managers won’t allow us to have the single sign on chip reader.
 
Our SSO system now requires no less than three multi-factor authentications to get into the system that most of us use. Forced five-minute no-activity timeout.
And yet the system is no more secure now than a decade ago.
 
I sure like being retired. What's this management requirement nonsense? :p
 
I just took a new job as Lord and Master of All Infrastructure for a smaller, newer company. The bad part…. Incredibly highly regulated industry and we’ll be a high profile target, I’m sure. The good part: It’s so, so nice to know that I can actually take the time to do these things right from the start.
 
Dunno why the online world can't just move to USB tokens and be done with it.
 
My Fortune 500 co is so bad we have three emails for all the different systems.
User name can be your clock number or email 1, 2, 3.
Some logins use a token some don’t.
 
Ed Haywood said:
Dunno why the online world can't just move to USB tokens and be done with it.
Click to expand...
Maybe because plenty of devices don't have USB ports, and lots of the ones that do have the USB ports disabled by security policy.
 
DaleB said:
Maybe because plenty of devices don't have USB ports, and lots of the ones that do have the USB ports disabled by security policy.
Click to expand...

That's funny, because I've got maybe a dozen computing devices in my house, and every single one has either a USB or lightning port.
 
Ed Haywood said:
That's funny, because I've got maybe a dozen computing devices in my house, and every single one has either a USB or lightning port.
Click to expand...
Yeah, but how many of them are upstream ports and/or OTG?
 
asicer said:
Yeah, but how many of them are upstream ports and/or OTG?
Click to expand...

Dunno, but my USB security key works in all of them.

I also have a PKI smart card that I use for federal government website access. That has been a requirement for about 15 years now for sensitive DoD websites. My company bills tens of millions of dollars a year in invoices submitted on a government financial system secured with PKI smart cards. I log into about 10 different federal websites that way. One card, one password.

The reflexive naysayer responses on this thread are bizarre. Google went to physical tokens several years ago. It is clearly the most secure approach, and far more convenient than keeping dozens of different userids and passwords on napkins or in a password manager.
 
Ed Haywood said:
Dunno, but my USB security key works in all of them.
Click to expand...
Impressive. I've got a half dozen devices that are upstream-only. The ones that are OTG have pretty strict requirements on who/what they will talk to.
 
Passwords suck. MFA is pretty much required for anything sensitive these days. The right way to do that is with a hardware device, but nobody wants to eat that cost for general public use. So we end up with mickey mouse solutions, that kind of work. I'd be happy if *everyone* would just stop using "what's your favorite kind of cheese?", or some other nonsensical question system, or some part of SSN to clear locked accounts. I hate having litigation fix problems, but we could use a good suit to get rid of the first, and it would be great if the feds just announced a publish date for SSN's to get rid of the second. Having a unique identifier also be part of the authentication is nuts.
 
Ed Haywood said:
That's funny, because I've got maybe a dozen computing devices in my house, and every single one has either a USB or lightning port.
Click to expand...

When I was working with the USAF, every single USAF computer had one or more USB port, and every single one had the USB port(s) disable by security policy applied to the computer.
 
Bob Noel said:
When I was working with the USAF, every single USAF computer had one or more USB port, and every single one had the USB port(s) disable by security policy applied to the computer.
Click to expand...
My last three company issued laptops had the USB ports disabled as well.

I’m not opposed to MFA; in fact, I’m requiring it with my new job where it’s my decision how it’s implemented. USB tokens never even factored into the decision. Every single person who works or will work for us has an Android or IOS device, and those make dandy soft tokens.
 
Bob Noel said:
When I was working with the USAF, every single USAF computer had one or more USB port, and every single one had the USB port(s) disable by security policy applied to the computer.
Click to expand...

Every single one also had a smart card reader for PKI login via CAC or external PKI, which has been DoD policy since 2011.
 
Ed Haywood said:
Every single one also had a smart card reader for PKI login via CAC or external PKI, which has been DoD policy since 2011.
Click to expand...
Personally, I have no objection to authentication hardware factors for high-security environments (I've used RSA key generators for consulting with the US government, myself), but I don't think it will ever take off with the general public.

Like everyone else, I've also lost hours of my life at meetings and conferences waiting for Macbook users to find someone with an HDMI adapter for their laptops to connect to the projector, because they invariably have lost or forgotten theirs. I also remember how much casual users have hated having to use any software that required a physical device as a license key all the way back to the 1980s (when they typically plugged into parallel ports). And finally, we increasingly access the web via phones and tablets, so USB authorisation keys would require not just carrying around a USB key, but also the right adapter (old iOS, new iOS, USB-C, micro USB, etc).

It's just not a good user experience for most people. If physical authentication/license devices have failed to get widespread adoption by the public in >35 years, it's hard to picture that suddenly changing now. People aren't good are remembering to carry around multiple things; most of them can barely managed to keep from dropping their phones into the toilet.
 
David Megginson said:
Like everyone else, I've also lost hours of my life at meetings and conferences waiting for Macbook users to find someone with an HDMI adapter for their laptops to connect to the projector, because they invariably have lost or forgotten theirs. I also remember how much casual users have hated having to use any software that required a physical device as a license key all the way back to the 1980s (when they typically plugged into parallel ports). And finally, we increasingly access the web via phones and tablets, so USB authorisation keys would require not just carrying around a USB key, but also the right adapter (old iOS, new iOS, USB-C, micro USB, etc).
Click to expand...
Mobile phones can be configured as authorization keys themselves, so no adapters are necessary.
 
Ed Haywood said:
Mobile phones can be configured as authorization keys themselves, so no adapters are necessary.
Click to expand...
Granted, but then you get into the privacy concerns about MIN/MSIN. It's true that most users aren't aware of how many apps already exploit that, but with an authentication key it will be starting them right in the face. It's possible there will be some big disruptive shift that makes this happen, but it's been too many decades for me to have much confidence any more (hardware-based authentication for every(wo)man has been "right around the corner" since the late 1980s).
 
You must log in or register to reply here.
Back
Top