>There is a cost every time a user has to re-authenticate. There is a cost in resources to handle the extra authentications. There is a cost in complexity to maintain and extend the system doing authentication.
I think this is definitely where the security trends in modern IT have gone very awry, as it _is_ extremely annoying to be an end user having to work with modern IT security practices. Off the top of my head:
- MFA everywhere means that if you have any issues with your alternative authentication devices, you are completely locked out of your work and probably your life until you get that resolved
- broad and vague block geo-based block lists means users just flat out cannot access resources depending on where they happen to be, which means service desk tickets, investigations, and ultimately people who cannot access non-sensitive data they should be able to just because of where they are physically located
- CAPTCHAs can lock entire classes of persons out of specific services as the CAPTCHAs aren't easy for these classes to perform on demand
- SSO/SAML authentication pages take you on a whirlwind tour of dozens of randomly generated authentication pages meant to establish and pass your authentication back to a central location, and it makes it impossible to tell from the URLs themselves whether or not it's suspicious or not unless you know the specifics of the system in use; this is particularly bad because this is exactly what it will look like if you click on a spam site in a search result or a compromised webpage. how is a user supposed to know when they've accidentally gotten tricked into a compromised authentication page? the uniquity of SSO for logins is nice, but it also means that as a user, I expect that I can be taken to an SSO from just about anything, so how am I supposed to know if the entry point from page X is legit compared to the entry point from page Y?
- a corollary to requiring multiple authentications even from the same device (looking at you Microsoft...) is it creates uncertainty as to when I should expect to have to sign in; if opening a link to a report requires me to authenticate or just accessing an internal web portal requires additional auth, why should I be suspicious when my colleague's account gets compromised and an attacker sends me a link saying "hey, we need to respond on this form by EOD; don't have time to explain in full, but it's pretty straight-forward. I'll follow up in a few hours when I'm done with another item"
- Edited: another corollary with SSO means that getting auth'd once means you get auth'd a lot. While you should need to configure additional security and checks on more sensitive services, since you're already auth'd through the main means of identification, it's often trivial to get the access by normal means or to social engineer access
It really sucks to be an end user in such environments, and it's just too easy for IT security to absolutely lock out legitimate users who are following the policies as best they can with earnest intent.
> It really sucks to be an end user in such environments, and it's just too easy for IT security to absolutely lock out legitimate users who are following the policies as best they can with earnest intent.
Yup. I'd add to your list: multiple corporate auth systems/domains that are supposed to be in sync, but sometimes aren't. When that breaks, you end up having to turn the Internet off to even log in to your work computer, and find yourself flying out to another country so the IT people there can fix the mess, and this is cheaper than them spending a long time trying to help you remotely, while you can't do any work.
I have ~1000 accounts, ~200 of which are used for work occasionally. Their 2FA recovery methods vary, and some have no recovery method. I'd like to say my wallet is not large enough for the printed codes, but only about 5 accounts even offer backup codes, considerably fewer than the number of 2FA accounts.
Besides, my last Gmail account for work appeared to be locked to my phone and didn't accept backup codes, and was OAuth master to a number of other accounts.
(For real: I lost access to that Google account permanently when my phone screen stopped working due to an internal fault. It wasn't really a problem and I didn't pursue it fully because I left the job soon after anyway, but the fact I couldn't regain access during that time despite copying the broken phone's content to a new device which successfully transferred the 2FA codes for all other accounts, was striking. It's why I don't use Google for id when there's another option. I tend to use GitHub for id at the moment.)
I used to do something like this with my passwords. A folded, printed sheet with tiny font holding my accounts and passwords that I carried in my wallet. Eventually I found there wasn't enough space even on both sides of an A4 sheet with the tiniest legible text, and a full sheet was hard to fold small enough. The text got mangled in places due to crushing.
I think normal users don't have a printer or a nearby print shop in 2023. (For those with an inkjet printer, the ink has dried and the head seized up since they printed something last year.)
Many people, who I assume to be normal, don't have a wallet separate from their phone these days. They use virtual payment cards on their phone and store paper notes and if necessary cash and a payment card inside their phone case. Not useful for "lost my phone" recovery codes, terrible for "my phone was stolen" as it reveals too much, but maybe good for "my phone broke".
The part where you actually have to do it. And the part where you remember where you put it. What happens when you lose your wallet? Or when the paper gets crumped up and ruined? Or wet? Do they put it in a lock box? What good does that do them when they are in another country? What if they reset their password and have to reset their codes but forget to update the paper? Or what about when you have the old and new codes and can't remember which piece of paper you put on top? How may of them actually go back and verify that the codes work and the process hasn't changed and they can successfully recover their accounts? How about the 50 other accounts they have all forcing their unique and totally different 2FA recovery process that isn't like any of the others?
I keep my backup codes in a GPG encoded document with copies of it in multiple places. It's a big pain in the ass but I know I'm covered. For the vast vast majority of people this is more theatrical bullshit they won't bother with.
Actually have to do it: I see, but really, dear real user, you are adept at printing pages, you do it quickly and masterfully, just click the button now.
Remember where you put it: the answer is trivial and always the same, "your wallet". The tech support will remind you to look in your wallet if you come to them with your problem.
Yup - let me just go get my "wallet binder" from the storage yard I have to keep it in after adding 800 pages of backup codes (which is literally not an exaggeration - I have more than 800 active accounts between personal/work/contracting).
Let me just bind this fucking book over here, after I ran out of printer ink twice while printing it, and shove that right on into my little wallet flap.
Most people don't have printers on standby. Most wallets have lifetimes way shorter than those of account rescue codes. Everything else in a wallet - government-issued IDs, bank cards, etc. - has lifetimes way shorter than those of account rescue codes.
> Which part of the "click print, cut or rip out a corner, put it in your wallet" a nightmare for a normal user? (I'm not one, can't judge.)
- click print - you lost 50%+ of your users there, as approximately nobody has a printer on stand-by at home; if they have it at all, it's a hassle to turn it on, and half the time it's probably broken (ink dried out, etc.)
- put it in your wallet - where? Also, what if you lose your wallet? At least with everything else in it, there's a reasonable process of recovery, usually involving visiting banks and government institutions in person. No such thing for webshit MFA.
This is worth repeating: literally nothing else in your life works like this. There are no other documents that you need to hold on to for a decade or more[0], that are in any way important, and loss of which can't be recovered from. It's an impossible ask for most people, because nobody has habits or even required perspective for such use case.
(What I usually hear from people is, "you should put it your safe". But I don't have one, and I've never (that I know of) met a single person who owned a safe either. It's some American thing, I believe.)
--
[0] - My Google account rescue codes are over a decade old now. I had to use them last year. It's a miracle I still had that piece of paper in my wallet - I've long forgotten about it, but it happened to be put next to a single-page reference for time travelers, so it got transferred to new wallets along with said reference.
I'm explaining it poorly; think about the urls for common authentication redirects and how it usually looks when you go through an SSO portal.
Probably you start at a page like:
sso.company.com
When you try to access a service, you're taken to probably something like
sso.company.com/auth
If your company uses Microsoft or Gmail, very likely before you reach your SSO login, it may temporarily flash MS/Google's auth page briefly before redirecting or loading the elements for your company's SSO portal
After login, probably it will then load something like:
saml_provider.company.com/autheticate/redirect
saml_provider.company.com/[some generated string in the url]/some_action_page
and depending on how it's configured, you might go through a few of those types of URLs with no direct connection to your company or the resource you want, but it's just the authentication process passing your authentication from service to service until finally it figures out to return you to your originally requested resource and it passes an auth token. †
The reason I think this is frustrating is that it's very fast, no user input, but it is observable by the user; you will see the pages loading and the long urls, sometimes some basic info is printed to the page with simple HTML, but the user has no idea what's going on.
Combine this with the fact that this is exactly what happens when you accidentally click on a spam site from search results, and my problem is "how can a user possibly know if this redirect spiral is a legitimate authentication process or if they've accidentally clicked on something compromised?"
† sometimes these auth-spirals don't even take you to the correct item you were trying to get to in the first place, it takes you to a generic landing page...Reddit is guilty of this from my experience where logging in to subreddits that are flagged NSFW will redirect me to the reddit front page instead of back to the subreddit I initiated the log in to check
exactly; if you know what these systems are doing it's easier to be comfortable with it, but it's still very annoying/long for every single login.
and we've done such a good job of training users to detect suspicious behavior, and here we are using the same suspicious behavior that spam sites use, it leaves me with a frustrated feeling.
I think this is definitely where the security trends in modern IT have gone very awry, as it _is_ extremely annoying to be an end user having to work with modern IT security practices. Off the top of my head:
- MFA everywhere means that if you have any issues with your alternative authentication devices, you are completely locked out of your work and probably your life until you get that resolved
- broad and vague block geo-based block lists means users just flat out cannot access resources depending on where they happen to be, which means service desk tickets, investigations, and ultimately people who cannot access non-sensitive data they should be able to just because of where they are physically located
- CAPTCHAs can lock entire classes of persons out of specific services as the CAPTCHAs aren't easy for these classes to perform on demand
- SSO/SAML authentication pages take you on a whirlwind tour of dozens of randomly generated authentication pages meant to establish and pass your authentication back to a central location, and it makes it impossible to tell from the URLs themselves whether or not it's suspicious or not unless you know the specifics of the system in use; this is particularly bad because this is exactly what it will look like if you click on a spam site in a search result or a compromised webpage. how is a user supposed to know when they've accidentally gotten tricked into a compromised authentication page? the uniquity of SSO for logins is nice, but it also means that as a user, I expect that I can be taken to an SSO from just about anything, so how am I supposed to know if the entry point from page X is legit compared to the entry point from page Y?
- a corollary to requiring multiple authentications even from the same device (looking at you Microsoft...) is it creates uncertainty as to when I should expect to have to sign in; if opening a link to a report requires me to authenticate or just accessing an internal web portal requires additional auth, why should I be suspicious when my colleague's account gets compromised and an attacker sends me a link saying "hey, we need to respond on this form by EOD; don't have time to explain in full, but it's pretty straight-forward. I'll follow up in a few hours when I'm done with another item"
- Edited: another corollary with SSO means that getting auth'd once means you get auth'd a lot. While you should need to configure additional security and checks on more sensitive services, since you're already auth'd through the main means of identification, it's often trivial to get the access by normal means or to social engineer access
It really sucks to be an end user in such environments, and it's just too easy for IT security to absolutely lock out legitimate users who are following the policies as best they can with earnest intent.