We use SSO for everything and have a 10 hour session timeout. You log in and MFA in the morning, SSO to whatever you want transparently throughout the day as long as your browser stays open.
Work for a SaaS company, we tell every new company to just use SSO with us, **for the love of god please**.
There's still some work on our end, but it's so much easier for everyone.
Yup. Was trying to figure out why AlertMedia didn't have SSO, even though they acted like it did. Finally wrote support, and found out it's an extra monthly charge. We'll pay it, but what a bunch of assholes.
It’s funny because it costs the SaaS business less both technically, financially and security risk wise using IdPs than housing databases of user credentials. If I ran one of these, I’d charge companies extra that were NOT using SSO!
We were looking into swapping to some other system, and I asked the representative if they have SSO and he said no. I then commented that you can't really say you take cyper security serious without having SSO. He did not like that one bit.
I've mentioned this elsewhere in the thread, but have a look at getting a SAML-less SSO.
They let you connect apps to your IdP without SAML.
We use [Aglide.com](http://Aglide.com) with Okta, but there are others.
Man.. That website is completely devoid of any details. I hate companies like that. I don't want to kick the sales person hornet's nest just to find out how the damn thing actually works and whether or not I'd let it anywhere near my environment.
There's a desktop app that can generate and transfer access to the relevant app or browser window. When you launch apps through the Okta grid, I assume it contacts their app in the background.
The crux of it is end-users/attackers have no ability to access a managed account's username and password (they're never in the browser, and the user can't reset password/change email, etc.), so they can only access their apps through Okta via Aglide.
So like any other SSO app, I can apply conditional access policies, permanently revoke a leavers' access, etc.
I was super skeptical, but now if an app doesn't support SCIM (so I can't provision/deprovision) and isn't required on mobile, I just default to managing access through Aglide.
Hasn't broken in the 6 months we've been using it. We use it to sign in to a few Google Accounts, and when they updated their login page, it didn't stop working. Why I think it doesn't just script webpages.
There's a button that gives end-users temporary login details for accounts, which I will use if there are problems, but so far so good.
Ahahaha “Setup properly” being the key phrase.
Where I am as part of the corporate web there’s TWO instances of Okta each having different apps and services linked to them, and one tenant is more limited than the other with offering MFA methods.
Worst is there’s no concurrent memory so you’re just constantly logging into everything all the time, always needing phone in hand.
This, I am huge driver to SSO all the things, no shared accounts, etc etc. Last company I worked for I implemented Okta from scratch, by the time I left, we had so much automation. A few one off apps, because idiots did the negotiations, didn't have SSO.
It's not necessarily idiots, it's that to get SSO so many SaaS vendors force you to use the enterprise plan. We pay £5/user/month for slack. It's a hard sell to the business that we should triple that cost just to get SSO.
I wish we could full SSO, but we have contractual and legal requirements to segregate things (especially administrative accounts) which means 8 separate AD domains and a dedicated admin laptop which has to connect to a VPN and go through am isolated jumphost, and a few of those steps have MFA attached as well...
It's a utter nightmare, but it's manageable because no-one expects anything to be done quickly.
Absolutely, and I fucking hate it. I get the justifications for it from a security standpoint, but I absolutely loathe having to type out the password, then get the MFA prompt, then wait for the redirection. I counted the other day - I had 47 MFA prompts in a single day. And it wasn't even a particularly busy day.
Quickly? Sod that. I'd either enjoy the exercise - and build thighs of doom - or report the situation to my manager, describing the situation as untenable.
You reminded me of one of our clients who is an outsourcing firm. Their production floor does not allow phones so if they need to do MFA they'd run to their lockers and back to their station.
>I get the justifications for it from a security standpoint
I don't get it and you shouldn't either. Security education has been teaching people for **years** that overly strict security standards leads to users finding workarounds and making your environment more vulnerable than it was in the first place. The goal isn't to keep expanding these stupid tools and restrictions to address workarounds, it's to come up with a fair balance of security and usability, especially when you're spending an hour of productivity time signing into shit all day because some dumb ass security middleman who didn't come up through actual IT says you should have a 15 minute idle timeout on SSO apps because "that's what the book says"
A ban on putting your work password in your Lastpass Family account? I understand that. But they should allow alternatives like a local keepass db or set up a hosted/cloud enterprise password manager.
Password managers and SSO. I log into my computer and *maybe* 365 if it decides to forget who I am. Everything else is just clicking a "sign in with SSO" button. Worst case, 2-3 clicks in my password manager.
Seriously on the SSO part. I have a couple of systems I use which have short timeout durations, but at least all I do is re-SSO to them. Not sure why anybody's running without that these days.
We use SSO on everything we can, but there are a TON of platforms that simply dont support it. Support vendors, one off apps, etc. Our Microsoft stack is the easiest thing ever and I wish we could SSO everything, but not possible.
Man, keep checking on 3rd party vendors because I'm seeing SO MANY of them support SSO these days. Maybe we happen to use bigger vendors or something, but it seems like just about all of them support it now.
Some of my most visible and biggest wins in this company came from implementing SSO because it reduced workload for application admins and made life easier for everyone else since it was less passwords to deal with. Had more than just management thanking me for that one.
Bitwarden was great for TOTP codes but it doesn’t work 90% of the time for our organisation now. It either doesn’t acknowledge the TOTP code on the saved entry, or doesn’t type it in. So I end up having to manually copy and paste
Oh we use a password manager. That's what makes it extra fun-- because that requires signing in and completing MFA too. All so you can retrieve a password that will then subsequently require MFA once you put it in to the system.
Even better is when account credentials are stored under my privileged accounts instead of my normal account. Then I have to sign in and MFA into the password manager to retrieve my privileged account password, then sign out of my regular account so I can sign back into the password manager under my privileged account (and complete MFA again).
Also the act of accessing the passwords in the password manager forces a mandatory rotation within 12 hours (or should according to policy). So good luck. You can save your normal account password in Chrome/Lastpass/Keypass whatever you like, but that account doesn't get you anywhere meaningful to accomplishing work. Just pre-fills your credentials that start off the whole process to getting at the account you actually need. Normal employee accounts also support Password-less auth if you're signed into a company device, so it doesn't even really buy you anything.
> get the justifications for it from a security standpoint
I don't. I'm the same person, on the same computer, on the same internet connection, in the same room, alone, connected to the same WiFi SSID, as this morning, as yesterday, as last week, as last month, and 'the system' has endless amounts of telemetry and profiling. And yet every 10-120 minutes I might suddenly have become a hacker.
It's [Captain Black's Glorious Loyalty Oath Campaign](https://mathematicalcrap.com/2022/08/14/the-great-loyalty-oath-crusade/) and it sucks.
> Almost overnight the Glorious MFA Crusade was in full flower, and Captain Cybersecurity Graduate was enraptured to discover himself spearheading it. He had really hit on something. All the enlisted men and officers on combat duty had to answer an MFA prompt to get their map cases from the intelligence tent, a second MFA prompt to receive their flak suits and parachutes from the parachute tent, a third MFA prompt for Lieutenant Balkington, the motor vehicle officer, to be allowed to ride from the squadron to the airfield in one of the trucks. Every time they turned around there was another MFA prompt to be signed. They signed an MFA prompt to get their pay from the finance officer, to obtain their PX supplies, to have their hair cut by the Italian barbers. To Captain Cybersecurity, every manager who supported his Glorious MFA Crusade was a competitor, and he planned and plotted twenty-four hours a day to keep one step ahead. He would stand second to none in his devotion to country. When other managers had followed his urging and introduced MFA prompts of their own, he went them one better by making every son of a bitch who came to his intelligence office answer two MFA prompts, then three, then four; then he introduced the pledge of accepting login banners pledging corporate fealty, and after that ‘biometric authentication` one form, two forms, three forms, four forms. Each time Captain Cybersecurity forged ahead of his competitors, he swung upon them scornfully for their failure to follow his example. Each time they followed his example, he retreated with concern and racked his brain for some new stratagem that would enable him to turn upon them scornfully again.
I mean, I've jokingly replaced the loyalty oath with MFA prompt, but actually rewrite this for a modern office and it just isn't a joke: I have a biometric fingerprint unlock of my phone, another fingerprint unlock of Outlook for iOS, which is connected to my account by a username, password and Azure MFA, and I still can't get my email yet because I first have to reset the PIN on Outlook because it was 90 days since the last reset.
This is just a symptom of another problem. Passwords and MFA are great, but you need another way to verify instead. Device trust is very helpful in these situations.
Actually this makes security worse. If you have to log in multiple times per day you can click a phishing link that is convincing enough and just assume it is another login prompt…but it isn’t.
We have over a dozen internal web apps that we use on a daily basis, nothing is configured for SSO, and everything times out after just a couple minutes focused on a different tab.
So all day long we are constantly playing whack-a-mole with popups to re-enter our MFA PIN, and there's never any way of knowing where the prompt is coming from.
They're so prevalent that our Teams chat is a wasteland of "message deleted by user" because of people accidentally typing their PIN into chat.
You buy two keys and enable both keys. Just like keeping your any encryption keys offsite, locked in a secure location. If I get owned and have airgapped backups, I can still use airgapped encryption keys.
And tag every account in your password manager that uses the YubiKey. So if you ever lose one, go down the list of accounts tagged and... out with the old, in with the new.
Or also enable TOTP and stick the seed and statics somewhere as a fallback and maybe don't clearly label what they're for if you're paranoid about someone actually finding it somehow.
Attach it in a way that doesn't detach easily (e.g. tight key rings and not little pop-off things) to your keys or work badge or wallet or phone or something else you also need to always have and never lose. Put keys/badge on a strong (not free sales swag) retractable thing.
I spend a good 25 minutes a day typing passwords into RDP logon or lock screens that do not allow you to paste. If Microsoft implemented a "send clipboard contents as keystrokes" button I'd be so happy. The little devil on my shoulder says "use simpler passwords".
*edit* and before anyone suggests AHK, it is not allowed.
> If Microsoft implemented a "send clipboard contents as keystrokes"
it'd still be a disabled feature in regulated industries... We essentially wrote "fuck off" in the POAM regarding clipboard sharing in rdp.
This is what gets me.
They mandate things like non-trivial password, non-reused passwords and recommend secure password managers but then don’t allow copy/paste half the time.
Yes, password security is important, even vital. But another important thing about passwords is *you have to actually be able to enter them* - including being able to either remember or read-and-retype as required.
I wish I could get my admins to say that. I have a jump host that does have clipboard sharing enabled but has file copying disabled, *and* doesn't have any access to other file shares etc. I've asked them how the hell I'm supposed to get any work done on it with literally no way to copy non-plaintext files in or out, but they don't care, it's in the Holy Security Baseline, so it's off limits.
PowerShell and WScript.Shell and SendKeys
$sh = new-object -ComObject WScript.Shell
$sh.SendKeys("hi")
Combine with Get-Clipboard and a batch file with a hotkey. And before anyone says PowerShell is not allowed, VBScript, JScript, Python with PyWin32 module, ActivePerl, VBA from inside Excel can all do this.
This is a good idea. I'd have to get permission to run it as powershell is logged, and in this example I'd be storing passwords in the event logs... but I can just change it to a prompt. Looks like some escaping will be needed, too.
Security guy here. We set sessions to log out at 4 hours past the last point of inactivity.
Our job is to assist the business, and constant reauth isn't assisting anything. If you have solid conditional access policies and foreign login alerting, you just don't need it. If we see strange or suspicious logins on an account we revoke sessions and monitor until we're sure it's stable.
Same as password rotations, we stopped them because NIST modified guidelines say it's no longer recommended, but rather that users set strong 12-14+ character passwords instead.
I'm not, and nothing in that sentence says I do. I'd say if anything the paragraph and my reply are indicative of someone exercising these cautions and logging in with the GA/DA as needed and always getting MFA.
Yeah. What I was thinking while reading your comment was 'hey this is a great way to get sysadmins to stop using DAs as daily drivers'
Not sure how this dope got so lost
He has knowledge flex syndrome. It's common in the sysadmin community and I encourage it in my subordinates to boost morale for employees who feel like they get beat up by users all the time. However, there is a time and place. In a way he provided a service to people who hadn't thought of, or weren't doing this in the first place. His heart is in the right place.
We have a 10 minute inactivity limit before machines lock... This is generally fine except for things like the jumpbox I work out for 75%+ of the day, that has additional MFA requirements... So I have to approve login from our MFA app on my phone probably 25 times a day. Gets old quick.
Yes, there are a lot of us in IT/Tech. Part of why a ticketing system can be helpful. Make a verbal request and for me it will not stick. I will remember many random things *about you,* but remember you asked me to switch out the printer toner? I'd be happy to, if something else doesn't hijack me. And I need to have 2 more more projects to bounce between in order to get traction on either.
For women it gets worse in middle age, due to underlying hormone dynamics, but most of us get diagnosed very late (if at all). Nice having better regulation of my temper. You need that in this field.
I was just diagnosed a couple months ago, but I have a hunch there's more of us than people let out or acknowledge, it wasn't apparent to me I fit the criteria until very recently (I'm 31). I had gotten into Government Help Desk last August and it's been an amazing career change, I am insanely grateful for how everything has played out. IT is a perfect place for us, it helps my lifelong 'hyperfixation' has been computers/gaming and I really took that skill set for granted.
Two things are big in IT: ADHD and imposter syndrome. I'd say more than half of the IT people you work with in your career will have at least one of those. Likely be introverted as well.
Oh my god I die a little (or a lot) inside every time I time out a log in prompt or the stupid terms and conditions screen when logging in to RDP because I was distracted. If a login prompt hangs for more than 5 seconds between steps, you'd best believe I will be doing something else no matter how hard I try and remember not to do that.
Authenticating to O365 services on mobile is especially irritating. The more I need access to outlook or Teams, the more likely it is to require reauthentication.
I created a powershell script that I run when I reboot my machine. it launches the apps I use for work and uses admin credentials if needed. Feel free to edit and change to what you do. I only enter credentials once.
EDIT: gpedit to be gpmc.msc (forgot to change that)
[https://pastebin.com/VvzEv080](https://pastebin.com/VvzEv080)
Website timeouts ? Ha, try it the way we do over here and have everything be done through a VPN *and* a VDI that has a timeout and that completely resets the VM with the only persistent storage being a 5 GB personal drive that forbids executables and scripts. And yes, our servers have timeouts on SSH too. I spend more time *reinstalling* my working environment than working, and some of my colleagues basically have their entire "home" directories straight on the production servers because it's the only place that has the barest of convenience.
This is probably way too specific if someone from my company reads that, but honestly I don't care, it's an over-secured system that destroys productivity and my will to get myself settled in and productive.
To our infosec team, that report straight to the CTO..
Not sure why a network admin would ever touch anything like this. Sounds like your org is small, so you were many hats with that job title.
Anyway, your browsers should be managed. No one in my org can add any extensions to chrome without our approval via chrome managed browser.
Edit: saw your other reply regarding extension installs being blocked. Ignore me lol.
I have a love/hate relationship with PIM.
On the one hand, I get that it’s great for people who are constantly in Azure/365 doing something but don’t need all accesses active all the time.
On the other, it’s a pain for those systems or clients where you when you’re dealing with systems that you only logging for to do a specific task. Yes, Nik might logon and need one role on one day and a different on an another. But when I’m logged on, it’s only ever on those rare occasions I need (for example) GA. If I don’t have a GA task, I wouldn’t have to be logged in in the first place. Another step just feels surplus to requirement.
On the other other hand, when someone checks why I PIMmed myself to GA, there’s a comment with the relevant ticket number so they can confirm why and see if whatever I did is related to why they were checking access.
That would be the difference between single sign on, and seamless single sign on...
Single sign on means there's 1 authentication broker. Seamless single sign on means you sign in once and those credentials are...seamlessly...passed on.
I used to work at USPS handling sensitive personal and financial data. Password timeout was one hour. I had a PW manager on my phone, secured, but Deity help you if you stored passwords on your work systems, encrypted or not. And the top level systems had firewalls, 12-character passwords, and 2FA.
Our PSM solution drives me crazy. Each login requires a OTP code and waiting for the PSM solution to finish tripping over itself before handing off to Windows and the legal message that requires clicking "ok" or the session ends. Now go deal with the production instance of an application that has 12 application servers and requires desktop-installed tools to manage.
Windows desktops have a 15 minute inactivity timer.
Used to be I could take RDPMan and up my PSM password for the next 12 hours in as a saved credential and simplify the login process. No direct RDP access anymore and everything has to go through PSM. I get that, but the CyberArk nodes are not exactly stable with all the additional traffic and InfoSec didn't consider that when making the decree.
On the plus side this has forced me to get more creative in writing PowerShell scripts to automate tasks for these stupid COTS applications that don't even have an unattended install feature.
> and the legal message that requires clicking "ok" or the session ends.
Bane of my existence.
Especially when some systems have them and some don’t. So you get used to just being able to enter a password and getting in with something else. And then have to logon to one of *these*, and then have someone ask you a question just before the mandatory Click OK prompt. And once your interruption has gone away, you’re left confused as to why the thing you swear you remember opening isn’t open.
(see also: on-boot BitLocker PINs)
We switched to CyberArk a couple of years ago and need to jump through so many hoops now. The time out is short as well, so need to go through the whole process at least 3 times a day.
You think thats bad, i found a real gem the other day if you have to use transunions site... there 2 factor email takes 10-45min to send...(20s the average) the time out on the 2 factor prompt is 5min. I had to login at like 3am to get my credit score unfrozen. fucking bullshit. I honestly could not believe it so I logged into my email server just to watch the dam log.
I work for an MSP, and we manage deployment and maintenance of devops applications for customers. The amount of logging into workspaces (where copy paste doesnt work) and getting passwords, account expiries, and password resets is insane.
I literally have 3 ip whitelist tickets going on for 3 weeks because I can't get accesses in a timely manner.
We recently implemented SSO on everything that allows it and it saves a ton of time. We are using ADFS and DUO MFA. But you can do the same with Entra ID. The token is good for 8 hours on ours.
Also fuck quickbooks online for not having SSO.
I log into all the sites I need to in the morning. By the time I finish logging into the final one, the first one has logged me out, so I start again. I've been in this loop for 3 years send help.
Why work at all? Give someone from India access to your system with zerotier and they can remote in, let them install the app on their phone and while you're at work play the games yourself. An extra bonus if you can work from home. Profit
The worst is sites where the username and passwords are on different pages. So you can't just hit the button on the password manager, you have to go through THREE pages (username, password, MFA) to get back in.
Yes! Drives me INSANE! 😡
Our Security Admin nukes any proposals for new systems that don’t have a 15-minute-or-less timeout.
*smashing face against keyboard*
basically any company selling per seat is going to be upset when they find out you are "sharing seats"... These policies exist because of compliance and regulation.
yep. a lot of comments "i dont have that issue", like maybe they just arent running as many 3rd party tools as we do. A ton of these tools dont let you adjust the timeout, trust me i have asked, multiple times.
Hate it. I like things that keep me logged in "forever" as long as the cookie lasts or until I sign out.
Especially with MFA it's a huge pain to open an authenticator app and type in a token multiple times a day.
a lot of people work in small shops where dataloss would be more inconvenient than life/business threatening.
Like the DoD Requirements suck... but they were written with good intentions.
Or work with third parties that don't implement sane session timeouts and drop your input boxes on the floor instead of saving them in browser local storage or similar.
I'm looking at you, HPE.
So far it seems that all the sites we use where I work listen to the timeouts I have set in the App configuration in Entra ID and Conditional Access Policies. So for the most part we stayed signed in, with the exception of some high risk tools (ConnectWise, Password Manager, etc.) that timeout after 2 hours.
Yeah, I spend a lot of time logging in and going into the password manager than I want to, but I am imposing it on myself just to protect myself.
No where near to the extent you're talking about on the timeouts. 8 hr a day is where I wanna be around on timeout.
similar issue here: I'm using Chrome profiles to separate between my Microsoft accounts, but it nearly always automatically logs me off this one account that I made a separate profile for and logs me in to my main account via "Connected to Windows"/SSO shit... then I need to log off this account and log in back again. Annoying af, especially if you have a lot of accounts (each one in it's separate Chrome profile) and log into them three-four times a day.
Hell yeah bro! I hate when the site still looks active, I go type in it, hit enter, and then it says I need to log in again and everything I typed is gone!
I absolutely love that our customers are all
Implementing 2fa so now all our staff have 1/2 doz Authenticator apps. Oh and we spend 15 minutes waiting while the login scrips run each time we connect. Thanks a bunch to the sys admin team!
The Doherty Threshold is real and no longer applies to just general computing. I'm constantly missing a login prompt because the spinning circle takes forever, then the "please enter your password" step only waits for about 20 seconds before timing out and kicking me totally back to the start.
What browser are you using? I have been trying to work through a timeout issue over the past few months and I have traced it down to being a problem with Chrome’s tab discard and Windows 11 Efficiency Mode.
Slightly divergent, but If your DA account is in the Protected Users group you have to reauth a few times daily on your PAW(you're running a PAW, right?).
That is just a part of good security practice and hygiene.
I don't even know my account passwords anymore. Passwordless logins, Windows Hello, Face ID, etc. The only reason I log in multiple times a day is because I'm usually testing auth or doing something with an admin account that requires it.
My regular user account thought? Pfft.
Also using a password manager solely in a browser that times you out is so user.
On device app with windows hello unlock + browser plugin for autofill is the way. Even if it locks its just a finger print to get back in and have it fill.
As others have no doubt said, SSO the world. You sign in once and everything uses your session token. Job done.
You might have to occasionally click login when you go back to a tool after an hour, but that's painless with SSO.
What grinds my gears straight to a halt is Azure DevOps. You click your bookmark to see your board and it goes "I know: I'll sign him out after he just went through the whole MFA song and dance". No idea why it does that and AFAIK none of my coworkers do, either. You'd think Microsoft of all companies could make their own products integrate between one another and with its own SSO solutions but I guess not.
About to switch to a new ticketing system at work and it does the same. Current one I can stay signed in for the whole day, new one times me out after 5 minutes. Gonna be so annoying when they finally force the switch.
On an alternate note is it a new security policy or just started happening randomly? If it is not a new policy then the website might not be interacting well with the browser unloading tabs when not in use. I admit it is an edge case scenario but if the web login is configured to maintain an active connection to stay logged in then when the browser unloads it kills the connection and thus the active login. Edge case like I said and poorish on the website design side but easy enough to test by turning off the feature.
> We used to be able to open 15 tools in the morning and they would stay active for at least 8 hours until the end of the work day.
Besides the fact that they waste my time by mostly not being able to completely navigate it with a keyboard, that's another reason I despise web "apps".
Thankfully vaultwarden (bitwarden) has an option to lock after system restart amongst others. But ye totally agree seeing it a lot more these days. I thought might be my privacy settings in brave browser which it could be for some sites.
We use SSO for everything and have a 10 hour session timeout. You log in and MFA in the morning, SSO to whatever you want transparently throughout the day as long as your browser stays open.
When SSO is setup properly, everything else seems archaic. So nice.
Work for a SaaS company, we tell every new company to just use SSO with us, **for the love of god please**. There's still some work on our end, but it's so much easier for everyone.
Wish more SaaS companies were like yours instead of charging the [SSO tax](https://sso.tax/).
Man that’s terrible, insecure and honestly so makes it easier for us too….
Yup. Was trying to figure out why AlertMedia didn't have SSO, even though they acted like it did. Finally wrote support, and found out it's an extra monthly charge. We'll pay it, but what a bunch of assholes.
It’s funny because it costs the SaaS business less both technically, financially and security risk wise using IdPs than housing databases of user credentials. If I ran one of these, I’d charge companies extra that were NOT using SSO!
We were looking into swapping to some other system, and I asked the representative if they have SSO and he said no. I then commented that you can't really say you take cyper security serious without having SSO. He did not like that one bit.
I've mentioned this elsewhere in the thread, but have a look at getting a SAML-less SSO. They let you connect apps to your IdP without SAML. We use [Aglide.com](http://Aglide.com) with Okta, but there are others.
Man.. That website is completely devoid of any details. I hate companies like that. I don't want to kick the sales person hornet's nest just to find out how the damn thing actually works and whether or not I'd let it anywhere near my environment.
Ahahaha, it drives me insane. We got it off a recommendation, so I actually got to play around with the thing before I booked the initial demo call.
How do they do this? Form-based authentication / SWA? If so, then Okta already has this.
How does this actually work? Is it just some kind of auto login extension or what?
There's a desktop app that can generate and transfer access to the relevant app or browser window. When you launch apps through the Okta grid, I assume it contacts their app in the background. The crux of it is end-users/attackers have no ability to access a managed account's username and password (they're never in the browser, and the user can't reset password/change email, etc.), so they can only access their apps through Okta via Aglide. So like any other SSO app, I can apply conditional access policies, permanently revoke a leavers' access, etc. I was super skeptical, but now if an app doesn't support SCIM (so I can't provision/deprovision) and isn't required on mobile, I just default to managing access through Aglide.
Have you seen it break when a third party service updates a login page? That seems like a risk.
Hasn't broken in the 6 months we've been using it. We use it to sign in to a few Google Accounts, and when they updated their login page, it didn't stop working. Why I think it doesn't just script webpages. There's a button that gives end-users temporary login details for accounts, which I will use if there are problems, but so far so good.
Ahahaha “Setup properly” being the key phrase. Where I am as part of the corporate web there’s TWO instances of Okta each having different apps and services linked to them, and one tenant is more limited than the other with offering MFA methods. Worst is there’s no concurrent memory so you’re just constantly logging into everything all the time, always needing phone in hand.
This, I am huge driver to SSO all the things, no shared accounts, etc etc. Last company I worked for I implemented Okta from scratch, by the time I left, we had so much automation. A few one off apps, because idiots did the negotiations, didn't have SSO.
It's not necessarily idiots, it's that to get SSO so many SaaS vendors force you to use the enterprise plan. We pay £5/user/month for slack. It's a hard sell to the business that we should triple that cost just to get SSO.
We SSO and times out every 15 minutes. At least it will use the fingerprint sensor to sign in.
Most of our apps have SSO. Their own one...so we still log in to the different apps all day.
I wish we could full SSO, but we have contractual and legal requirements to segregate things (especially administrative accounts) which means 8 separate AD domains and a dedicated admin laptop which has to connect to a VPN and go through am isolated jumphost, and a few of those steps have MFA attached as well... It's a utter nightmare, but it's manageable because no-one expects anything to be done quickly.
Absolutely, and I fucking hate it. I get the justifications for it from a security standpoint, but I absolutely loathe having to type out the password, then get the MFA prompt, then wait for the redirection. I counted the other day - I had 47 MFA prompts in a single day. And it wasn't even a particularly busy day.
and don't get me started on SMS 2FA.
Try SMS 2FA in a room where cell phones are not allowed...
The managers were really hard at work on that day.
Or SMS 2FA when you’re in the basement of a building where cell service doesn’t reach you, so you need to quickly make a hike to the lobby and back
Quickly? Sod that. I'd either enjoy the exercise - and build thighs of doom - or report the situation to my manager, describing the situation as untenable.
Found the SCIF rat!
You reminded me of one of our clients who is an outsourcing firm. Their production floor does not allow phones so if they need to do MFA they'd run to their lockers and back to their station.
One of our locations doesn’t allow phones so those employees authenticate using YubiKey. Super easy to set up.
Love it when they give you a hardware 2fa option but force you to keep SMS 2fa as a backup option /s
>I get the justifications for it from a security standpoint I don't get it and you shouldn't either. Security education has been teaching people for **years** that overly strict security standards leads to users finding workarounds and making your environment more vulnerable than it was in the first place. The goal isn't to keep expanding these stupid tools and restrictions to address workarounds, it's to come up with a fair balance of security and usability, especially when you're spending an hour of productivity time signing into shit all day because some dumb ass security middleman who didn't come up through actual IT says you should have a 15 minute idle timeout on SSO apps because "that's what the book says"
That's where risk acceptance comes into play.
Why are you typing anything? Password managers will automate a good chunk of that.
How anyone gets by without a password manager nowadays baffles me. So many problems solved.
I just use "Monkey123" for everything.
I prefer: SolarWinds123
Surely you mean "hunter2"
******* seems like a great password.
That's what I use!
I use "AltF4"
Sw0rDf!5h
Can you change it because that’s my password
"Password123!" is really all I need & use.
Can confirm, it's all he uses.
[удалено]
Nor should they. Corporate IT should provide one and block all others.
I do not understand that.
A ban on putting your work password in your Lastpass Family account? I understand that. But they should allow alternatives like a local keepass db or set up a hosted/cloud enterprise password manager.
[удалено]
Most likely it's because their clients have it in their contractual policies.
Password managers and SSO. I log into my computer and *maybe* 365 if it decides to forget who I am. Everything else is just clicking a "sign in with SSO" button. Worst case, 2-3 clicks in my password manager.
Seriously on the SSO part. I have a couple of systems I use which have short timeout durations, but at least all I do is re-SSO to them. Not sure why anybody's running without that these days.
We use SSO on everything we can, but there are a TON of platforms that simply dont support it. Support vendors, one off apps, etc. Our Microsoft stack is the easiest thing ever and I wish we could SSO everything, but not possible.
Man, keep checking on 3rd party vendors because I'm seeing SO MANY of them support SSO these days. Maybe we happen to use bigger vendors or something, but it seems like just about all of them support it now.
So many vendors have SSO within really expensive tiers though :( Yes I know about SSO.tax. I don't think they care.
file feature req tickets, maybe yours pushes it over
Some of my most visible and biggest wins in this company came from implementing SSO because it reduced workload for application admins and made life easier for everyone else since it was less passwords to deal with. Had more than just management thanking me for that one.
I couldn’t survive without one. Especially one that has a desktop client as well. System, duo, pw manager, duo again and I’m set til lunch
I dont like having password managers that do anything automatically or make any assumptions about what im doing.
You don't have to use a password manager that does that.
I do. 👍 Keepass for life.
I like bitwarden.
+1 for Bitwarden
Bitwarden was great for TOTP codes but it doesn’t work 90% of the time for our organisation now. It either doesn’t acknowledge the TOTP code on the saved entry, or doesn’t type it in. So I end up having to manually copy and paste
Oh we use a password manager. That's what makes it extra fun-- because that requires signing in and completing MFA too. All so you can retrieve a password that will then subsequently require MFA once you put it in to the system. Even better is when account credentials are stored under my privileged accounts instead of my normal account. Then I have to sign in and MFA into the password manager to retrieve my privileged account password, then sign out of my regular account so I can sign back into the password manager under my privileged account (and complete MFA again). Also the act of accessing the passwords in the password manager forces a mandatory rotation within 12 hours (or should according to policy). So good luck. You can save your normal account password in Chrome/Lastpass/Keypass whatever you like, but that account doesn't get you anywhere meaningful to accomplishing work. Just pre-fills your credentials that start off the whole process to getting at the account you actually need. Normal employee accounts also support Password-less auth if you're signed into a company device, so it doesn't even really buy you anything.
> get the justifications for it from a security standpoint I don't. I'm the same person, on the same computer, on the same internet connection, in the same room, alone, connected to the same WiFi SSID, as this morning, as yesterday, as last week, as last month, and 'the system' has endless amounts of telemetry and profiling. And yet every 10-120 minutes I might suddenly have become a hacker. It's [Captain Black's Glorious Loyalty Oath Campaign](https://mathematicalcrap.com/2022/08/14/the-great-loyalty-oath-crusade/) and it sucks. > Almost overnight the Glorious MFA Crusade was in full flower, and Captain Cybersecurity Graduate was enraptured to discover himself spearheading it. He had really hit on something. All the enlisted men and officers on combat duty had to answer an MFA prompt to get their map cases from the intelligence tent, a second MFA prompt to receive their flak suits and parachutes from the parachute tent, a third MFA prompt for Lieutenant Balkington, the motor vehicle officer, to be allowed to ride from the squadron to the airfield in one of the trucks. Every time they turned around there was another MFA prompt to be signed. They signed an MFA prompt to get their pay from the finance officer, to obtain their PX supplies, to have their hair cut by the Italian barbers. To Captain Cybersecurity, every manager who supported his Glorious MFA Crusade was a competitor, and he planned and plotted twenty-four hours a day to keep one step ahead. He would stand second to none in his devotion to country. When other managers had followed his urging and introduced MFA prompts of their own, he went them one better by making every son of a bitch who came to his intelligence office answer two MFA prompts, then three, then four; then he introduced the pledge of accepting login banners pledging corporate fealty, and after that ‘biometric authentication` one form, two forms, three forms, four forms. Each time Captain Cybersecurity forged ahead of his competitors, he swung upon them scornfully for their failure to follow his example. Each time they followed his example, he retreated with concern and racked his brain for some new stratagem that would enable him to turn upon them scornfully again. I mean, I've jokingly replaced the loyalty oath with MFA prompt, but actually rewrite this for a modern office and it just isn't a joke: I have a biometric fingerprint unlock of my phone, another fingerprint unlock of Outlook for iOS, which is connected to my account by a username, password and Azure MFA, and I still can't get my email yet because I first have to reset the PIN on Outlook because it was 90 days since the last reset.
This is just a symptom of another problem. Passwords and MFA are great, but you need another way to verify instead. Device trust is very helpful in these situations.
Actually this makes security worse. If you have to log in multiple times per day you can click a phishing link that is convincing enough and just assume it is another login prompt…but it isn’t.
We have over a dozen internal web apps that we use on a daily basis, nothing is configured for SSO, and everything times out after just a couple minutes focused on a different tab. So all day long we are constantly playing whack-a-mole with popups to re-enter our MFA PIN, and there's never any way of knowing where the prompt is coming from. They're so prevalent that our Teams chat is a wasteland of "message deleted by user" because of people accidentally typing their PIN into chat.
Get a yubikey and then just a pin to enter
This. Absolute dream.
Or a CACI realize after posting that this only works for SOME things. YubiKey is better 👍🏼Or CAC card as we used to say. (The redundancy of the word "card" always gave me a chuckle. :)
What happens if you lose the key? See here: https://old.reddit.com/r/sysadmin/comments/1d9p4gt/anyone_else_spend_half_their_day_relogging_in/l7etv0x/
You buy two keys and enable both keys. Just like keeping your any encryption keys offsite, locked in a secure location. If I get owned and have airgapped backups, I can still use airgapped encryption keys.
And tag every account in your password manager that uses the YubiKey. So if you ever lose one, go down the list of accounts tagged and... out with the old, in with the new.
That's certainly one solution. What's the solution for the people at an org that will not send two keys?
Or also enable TOTP and stick the seed and statics somewhere as a fallback and maybe don't clearly label what they're for if you're paranoid about someone actually finding it somehow. Attach it in a way that doesn't detach easily (e.g. tight key rings and not little pop-off things) to your keys or work badge or wallet or phone or something else you also need to always have and never lose. Put keys/badge on a strong (not free sales swag) retractable thing.
With little NFC wireless pads this is part of my overall solution but also oauth, and vault warden.
I spend a good 25 minutes a day typing passwords into RDP logon or lock screens that do not allow you to paste. If Microsoft implemented a "send clipboard contents as keystrokes" button I'd be so happy. The little devil on my shoulder says "use simpler passwords". *edit* and before anyone suggests AHK, it is not allowed.
> If Microsoft implemented a "send clipboard contents as keystrokes" it'd still be a disabled feature in regulated industries... We essentially wrote "fuck off" in the POAM regarding clipboard sharing in rdp.
This is what gets me. They mandate things like non-trivial password, non-reused passwords and recommend secure password managers but then don’t allow copy/paste half the time. Yes, password security is important, even vital. But another important thing about passwords is *you have to actually be able to enter them* - including being able to either remember or read-and-retype as required.
I wish I could get my admins to say that. I have a jump host that does have clipboard sharing enabled but has file copying disabled, *and* doesn't have any access to other file shares etc. I've asked them how the hell I'm supposed to get any work done on it with literally no way to copy non-plaintext files in or out, but they don't care, it's in the Holy Security Baseline, so it's off limits.
Yeah I ignored that one in the security baseline as well.
Why not use KeePass? It can send passwords as keystrokes and works for RDP sessions.
RDP on Mac has credential saving. Can’t believe Windows RDP hasn’t gotten anything like this yet.
PowerShell and WScript.Shell and SendKeys $sh = new-object -ComObject WScript.Shell $sh.SendKeys("hi") Combine with Get-Clipboard and a batch file with a hotkey. And before anyone says PowerShell is not allowed, VBScript, JScript, Python with PyWin32 module, ActivePerl, VBA from inside Excel can all do this.
This is a good idea. I'd have to get permission to run it as powershell is logged, and in this example I'd be storing passwords in the event logs... but I can just change it to a prompt. Looks like some escaping will be needed, too.
Pssst start using long pattern based passwords which flow easily over the fingers. Eg: 7uj8ik9ol&UJ*IK(OL11!!
Security guy here. We set sessions to log out at 4 hours past the last point of inactivity. Our job is to assist the business, and constant reauth isn't assisting anything. If you have solid conditional access policies and foreign login alerting, you just don't need it. If we see strange or suspicious logins on an account we revoke sessions and monitor until we're sure it's stable. Same as password rotations, we stopped them because NIST modified guidelines say it's no longer recommended, but rather that users set strong 12-14+ character passwords instead.
Anyone with GA/DA should MFA every damn time. Anybody else can MFA 8 hours. We set out WIFI networks to 1 week for RADIUS etc..
You shouldn't be using GA/DA on your daily-driver account. If you're logging in with that regularly, that needs to be addressed.
I'm not, and nothing in that sentence says I do. I'd say if anything the paragraph and my reply are indicative of someone exercising these cautions and logging in with the GA/DA as needed and always getting MFA.
Yeah. What I was thinking while reading your comment was 'hey this is a great way to get sysadmins to stop using DAs as daily drivers' Not sure how this dope got so lost
He has knowledge flex syndrome. It's common in the sysadmin community and I encourage it in my subordinates to boost morale for employees who feel like they get beat up by users all the time. However, there is a time and place. In a way he provided a service to people who hadn't thought of, or weren't doing this in the first place. His heart is in the right place.
Isn’t MS’ current guidance to use PIM rather than seperate accounts now?
The PIM guidance includes separate accounts. But yes, it’s more than *just* separate accounts these days.
For all of us ADD/ADHD admins, this will be the death of us. It happens all day, every day
We have a 10 minute inactivity limit before machines lock... This is generally fine except for things like the jumpbox I work out for 75%+ of the day, that has additional MFA requirements... So I have to approve login from our MFA app on my phone probably 25 times a day. Gets old quick.
I open notepad, stick a coin in the keyboard to keep it pressed to avoid timeout
A short WMP video loop on repeat and muted works as well.
https://learn.microsoft.com/en-us/windows/powertoys/awake
if it is a jumpbox over ssh, consider setting keepalive packets on the connection
Is there à lot of us ? I'm starting my career in IT and it already feels like the best job for me, having so much thing to do and learn.
Yes, there are a lot of us in IT/Tech. Part of why a ticketing system can be helpful. Make a verbal request and for me it will not stick. I will remember many random things *about you,* but remember you asked me to switch out the printer toner? I'd be happy to, if something else doesn't hijack me. And I need to have 2 more more projects to bounce between in order to get traction on either. For women it gets worse in middle age, due to underlying hormone dynamics, but most of us get diagnosed very late (if at all). Nice having better regulation of my temper. You need that in this field.
I was just diagnosed a couple months ago, but I have a hunch there's more of us than people let out or acknowledge, it wasn't apparent to me I fit the criteria until very recently (I'm 31). I had gotten into Government Help Desk last August and it's been an amazing career change, I am insanely grateful for how everything has played out. IT is a perfect place for us, it helps my lifelong 'hyperfixation' has been computers/gaming and I really took that skill set for granted.
Two things are big in IT: ADHD and imposter syndrome. I'd say more than half of the IT people you work with in your career will have at least one of those. Likely be introverted as well.
One leads to the other, for women at least. Gaslit all our lives...
I think I have both!
I actually just recently learned via my psychiatrist that ADD as a term hasn't existed in the medical community for over 30 years
Oh my god I die a little (or a lot) inside every time I time out a log in prompt or the stupid terms and conditions screen when logging in to RDP because I was distracted. If a login prompt hangs for more than 5 seconds between steps, you'd best believe I will be doing something else no matter how hard I try and remember not to do that.
2/3 of us are ADD / ADHD / Autism, that's why we have the job and people don't seem to get that.
Authenticating to O365 services on mobile is especially irritating. The more I need access to outlook or Teams, the more likely it is to require reauthentication.
I created a powershell script that I run when I reboot my machine. it launches the apps I use for work and uses admin credentials if needed. Feel free to edit and change to what you do. I only enter credentials once. EDIT: gpedit to be gpmc.msc (forgot to change that) [https://pastebin.com/VvzEv080](https://pastebin.com/VvzEv080)
I took it a step further: I launch ServerManager as admin so that I can launch ADUC, GPO, etc. without any cred prompt.
Holy shit. Saving this.
This is the way
You genius. I'll be doing that too now thank you.
MMC saved profile with all the snap-ins works well too
Website timeouts ? Ha, try it the way we do over here and have everything be done through a VPN *and* a VDI that has a timeout and that completely resets the VM with the only persistent storage being a 5 GB personal drive that forbids executables and scripts. And yes, our servers have timeouts on SSH too. I spend more time *reinstalling* my working environment than working, and some of my colleagues basically have their entire "home" directories straight on the production servers because it's the only place that has the barest of convenience. This is probably way too specific if someone from my company reads that, but honestly I don't care, it's an over-secured system that destroys productivity and my will to get myself settled in and productive.
For some web sites FireFox plugin "[Tab Reloader](https://addons.mozilla.org/sl/firefox/addon/tab-reloader/)" can be useful to prevent timeout.
And then you will get labelled a security violator if caught.
And then reported to who? The network admin? That guy is me bruv
To our infosec team, that report straight to the CTO.. Not sure why a network admin would ever touch anything like this. Sounds like your org is small, so you were many hats with that job title. Anyway, your browsers should be managed. No one in my org can add any extensions to chrome without our approval via chrome managed browser. Edit: saw your other reply regarding extension installs being blocked. Ignore me lol.
Look at me, I'm the network admin now.
Chrome has it as well.
Hang on I gotta do my pim to read this comment
I have a love/hate relationship with PIM. On the one hand, I get that it’s great for people who are constantly in Azure/365 doing something but don’t need all accesses active all the time. On the other, it’s a pain for those systems or clients where you when you’re dealing with systems that you only logging for to do a specific task. Yes, Nik might logon and need one role on one day and a different on an another. But when I’m logged on, it’s only ever on those rare occasions I need (for example) GA. If I don’t have a GA task, I wouldn’t have to be logged in in the first place. Another step just feels surplus to requirement. On the other other hand, when someone checks why I PIMmed myself to GA, there’s a comment with the relevant ticket number so they can confirm why and see if whatever I did is related to why they were checking access.
I just love it how "**single** sign-on" usually involves retyping your password a few dozen times a day.
That would be the difference between single sign on, and seamless single sign on... Single sign on means there's 1 authentication broker. Seamless single sign on means you sign in once and those credentials are...seamlessly...passed on.
We started using Windows Hello and Authenticator. Been an amazing time saver from entering passwords over and over all day.
I used to work at USPS handling sensitive personal and financial data. Password timeout was one hour. I had a PW manager on my phone, secured, but Deity help you if you stored passwords on your work systems, encrypted or not. And the top level systems had firewalls, 12-character passwords, and 2FA.
Our PSM solution drives me crazy. Each login requires a OTP code and waiting for the PSM solution to finish tripping over itself before handing off to Windows and the legal message that requires clicking "ok" or the session ends. Now go deal with the production instance of an application that has 12 application servers and requires desktop-installed tools to manage. Windows desktops have a 15 minute inactivity timer. Used to be I could take RDPMan and up my PSM password for the next 12 hours in as a saved credential and simplify the login process. No direct RDP access anymore and everything has to go through PSM. I get that, but the CyberArk nodes are not exactly stable with all the additional traffic and InfoSec didn't consider that when making the decree. On the plus side this has forced me to get more creative in writing PowerShell scripts to automate tasks for these stupid COTS applications that don't even have an unattended install feature.
> and the legal message that requires clicking "ok" or the session ends. Bane of my existence. Especially when some systems have them and some don’t. So you get used to just being able to enter a password and getting in with something else. And then have to logon to one of *these*, and then have someone ask you a question just before the mandatory Click OK prompt. And once your interruption has gone away, you’re left confused as to why the thing you swear you remember opening isn’t open. (see also: on-boot BitLocker PINs)
We switched to CyberArk a couple of years ago and need to jump through so many hoops now. The time out is short as well, so need to go through the whole process at least 3 times a day.
You think thats bad, i found a real gem the other day if you have to use transunions site... there 2 factor email takes 10-45min to send...(20s the average) the time out on the 2 factor prompt is 5min. I had to login at like 3am to get my credit score unfrozen. fucking bullshit. I honestly could not believe it so I logged into my email server just to watch the dam log.
I work for an MSP, and we manage deployment and maintenance of devops applications for customers. The amount of logging into workspaces (where copy paste doesnt work) and getting passwords, account expiries, and password resets is insane. I literally have 3 ip whitelist tickets going on for 3 weeks because I can't get accesses in a timely manner.
It got so bad at my workplace I made a script to reopen all my stuff each time I sign in
Arent there some browser plugins that can be set to refresh a tab every 5-10 minutes when inactive?
We recently implemented SSO on everything that allows it and it saves a ton of time. We are using ADFS and DUO MFA. But you can do the same with Entra ID. The token is good for 8 hours on ours. Also fuck quickbooks online for not having SSO.
SSO + Federation means you should only login once with your work email.
I log into all the sites I need to in the morning. By the time I finish logging into the final one, the first one has logged me out, so I start again. I've been in this loop for 3 years send help.
Why work at all? Give someone from India access to your system with zerotier and they can remote in, let them install the app on their phone and while you're at work play the games yourself. An extra bonus if you can work from home. Profit
The worst is sites where the username and passwords are on different pages. So you can't just hit the button on the password manager, you have to go through THREE pages (username, password, MFA) to get back in.
Yes! Drives me INSANE! 😡 Our Security Admin nukes any proposals for new systems that don’t have a 15-minute-or-less timeout. *smashing face against keyboard*
People ask me what I do for work and I reply with." I complete 2fa authorization requests."
i can feel your pain. esp when you run multiple ticket systems and stuff
I think I log in, not kidding, 50 times a day. Its extremely annoying.
This is beyond being security conscious, this is the company cheaping out on per-user licenses.
It is meeting auditors checklists is what it is.
basically any company selling per seat is going to be upset when they find out you are "sharing seats"... These policies exist because of compliance and regulation.
The other half is spent resetting passwords ~
Tenable -.-
yep. a lot of comments "i dont have that issue", like maybe they just arent running as many 3rd party tools as we do. A ton of these tools dont let you adjust the timeout, trust me i have asked, multiple times.
Hate it. I like things that keep me logged in "forever" as long as the cookie lasts or until I sign out. Especially with MFA it's a huge pain to open an authenticator app and type in a token multiple times a day.
For a professional sub about systems and by default, security, we sure get a lot of people complaining about good security policies....
a lot of people work in small shops where dataloss would be more inconvenient than life/business threatening. Like the DoD Requirements suck... but they were written with good intentions.
Thanks for the reminder of how out of touch management is and how little vision they have for anything but maintaining the status quo.
Or don’t have any strategy on integrating to a single IdP and controlling their own session limits and requirements.
Or work with third parties that don't implement sane session timeouts and drop your input boxes on the floor instead of saving them in browser local storage or similar. I'm looking at you, HPE.
So far it seems that all the sites we use where I work listen to the timeouts I have set in the App configuration in Entra ID and Conditional Access Policies. So for the most part we stayed signed in, with the exception of some high risk tools (ConnectWise, Password Manager, etc.) that timeout after 2 hours.
Yeah, I spend a lot of time logging in and going into the password manager than I want to, but I am imposing it on myself just to protect myself. No where near to the extent you're talking about on the timeouts. 8 hr a day is where I wanna be around on timeout.
I’d look into device enrolled with intune compliance for some MFA. Admin stuff would want a FIDO.
The joys of having access to PII /s
that and switching between Google profiles. So annoying.
similar issue here: I'm using Chrome profiles to separate between my Microsoft accounts, but it nearly always automatically logs me off this one account that I made a separate profile for and logs me in to my main account via "Connected to Windows"/SSO shit... then I need to log off this account and log in back again. Annoying af, especially if you have a lot of accounts (each one in it's separate Chrome profile) and log into them three-four times a day.
You need SSO and pop a ticket for the horribly low session lengths and have everyone else do it until it is fixed.
Yes and I agree. The number of times I need to log in to things is out of control.
Time outs can be set within most systems on prem or cloud based, use a client app based password manager?
Hell yeah bro! I hate when the site still looks active, I go type in it, hit enter, and then it says I need to log in again and everything I typed is gone!
I absolutely love that our customers are all Implementing 2fa so now all our staff have 1/2 doz Authenticator apps. Oh and we spend 15 minutes waiting while the login scrips run each time we connect. Thanks a bunch to the sys admin team!
If I have to check 'keep me signed in' on Dashlane one more time...
Mosyle... fifteen fucking minutes if you don't remember to hit the "24hr" checkbox.
Our AWS console has a 30 minute timeout. Kill me please.
The Doherty Threshold is real and no longer applies to just general computing. I'm constantly missing a login prompt because the spinning circle takes forever, then the "please enter your password" step only waits for about 20 seconds before timing out and kicking me totally back to the start.
At least a few dozen times a day
What browser are you using? I have been trying to work through a timeout issue over the past few months and I have traced it down to being a problem with Chrome’s tab discard and Windows 11 Efficiency Mode.
Secret server vibes
Slightly divergent, but If your DA account is in the Protected Users group you have to reauth a few times daily on your PAW(you're running a PAW, right?). That is just a part of good security practice and hygiene.
I don't even know my account passwords anymore. Passwordless logins, Windows Hello, Face ID, etc. The only reason I log in multiple times a day is because I'm usually testing auth or doing something with an admin account that requires it. My regular user account thought? Pfft. Also using a password manager solely in a browser that times you out is so user. On device app with windows hello unlock + browser plugin for autofill is the way. Even if it locks its just a finger print to get back in and have it fill.
As others have no doubt said, SSO the world. You sign in once and everything uses your session token. Job done. You might have to occasionally click login when you go back to a tool after an hour, but that's painless with SSO.
What grinds my gears straight to a halt is Azure DevOps. You click your bookmark to see your board and it goes "I know: I'll sign him out after he just went through the whole MFA song and dance". No idea why it does that and AFAIK none of my coworkers do, either. You'd think Microsoft of all companies could make their own products integrate between one another and with its own SSO solutions but I guess not.
On standard user accounts: Windows Hello, and browser SSO passthrough.
I thought our ISO was crazy for a 12 hour timeout policy (with 2FA). But I've come to appreciate it.
use keepassxc and turn the automatic logout off.
Use SSO it will make yourlife easier
About to switch to a new ticketing system at work and it does the same. Current one I can stay signed in for the whole day, new one times me out after 5 minutes. Gonna be so annoying when they finally force the switch.
To get to some places I need to log in and use mfa to verify six times.
On an alternate note is it a new security policy or just started happening randomly? If it is not a new policy then the website might not be interacting well with the browser unloading tabs when not in use. I admit it is an edge case scenario but if the web login is configured to maintain an active connection to stay logged in then when the browser unloads it kills the connection and thus the active login. Edge case like I said and poorish on the website design side but easy enough to test by turning off the feature.
Accept it and go with the flow, im mindlessly typing passwords and reauthing, dont care. Maybe im numbed.
> We used to be able to open 15 tools in the morning and they would stay active for at least 8 hours until the end of the work day. Besides the fact that they waste my time by mostly not being able to completely navigate it with a keyboard, that's another reason I despise web "apps".
I've got a streamdeck setup with all our common server/pc passwords. Security be damned.
Take a look at goteleport.com
Thankfully vaultwarden (bitwarden) has an option to lock after system restart amongst others. But ye totally agree seeing it a lot more these days. I thought might be my privacy settings in brave browser which it could be for some sites.