> I often work in secure environments and it gets tiring, tiring to the point I admittedly start to take shortcuts to make my life easier, shortcuts that ultimately defeat a few layers of security in some way to keep my sanity so I can... do the actual work.
Yeah, and without getting as agitated as that other guy in the comment thread, this is where security becomes its own enemy. And how achieving effective, practical security is a lot more subtle than it seems.
For example, we've been talking about putting 2FA onto the identity provider allowing access to internal high privilege administrative interfaces, for example via Duo, which requires you to authorize a login via your phone. However, an important question there was: How long would we trust a 2FA authorization?
If every single login after a session expiration requires 2FA, people would riot and/or start looking for workarounds. That's not great. But eventually, we ended up trusting a 2FA authorization for like 12 hours. That's one work day, even if it goes longer. Usually this means you have 2 Duo pings in the morning - one for the VPN and one for the internal IDP. That's entirely acceptable imo.
And in a similar sense, SSO can increase security while increasing convenience as well. For example, our ADFS allows sessions of about 4 hours, so if you access it once in the morning and once during midday, you stay logged in. And this in turn allows systems like the Keycloak acting as an IDP to work with very short session timeouts. As long as you're working, your keycloak session remains active. Once you're not active for 5-10 minutes, you're logged out from keycloak - but that's just 1-2 redirects on the next click and you're back in.
And once this is simple and convenient, people want to use this. And suddenly you got rid of a mess of local accounts in different systems and everything is based on the central directory. And that, in turn, is more valuable than validating MFA multiple times a day in the grander context, at least in my book.
Yeah, and without getting as agitated as that other guy in the comment thread, this is where security becomes its own enemy. And how achieving effective, practical security is a lot more subtle than it seems.
For example, we've been talking about putting 2FA onto the identity provider allowing access to internal high privilege administrative interfaces, for example via Duo, which requires you to authorize a login via your phone. However, an important question there was: How long would we trust a 2FA authorization?
If every single login after a session expiration requires 2FA, people would riot and/or start looking for workarounds. That's not great. But eventually, we ended up trusting a 2FA authorization for like 12 hours. That's one work day, even if it goes longer. Usually this means you have 2 Duo pings in the morning - one for the VPN and one for the internal IDP. That's entirely acceptable imo.
And in a similar sense, SSO can increase security while increasing convenience as well. For example, our ADFS allows sessions of about 4 hours, so if you access it once in the morning and once during midday, you stay logged in. And this in turn allows systems like the Keycloak acting as an IDP to work with very short session timeouts. As long as you're working, your keycloak session remains active. Once you're not active for 5-10 minutes, you're logged out from keycloak - but that's just 1-2 redirects on the next click and you're back in.
And once this is simple and convenient, people want to use this. And suddenly you got rid of a mess of local accounts in different systems and everything is based on the central directory. And that, in turn, is more valuable than validating MFA multiple times a day in the grander context, at least in my book.