![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Log In Every 8 hours
Dec. 6th, 2021 07:35 amMy company has been changing its security policies. We're implementing Okta integration for more and more of our internal applications. Okta is a SAML tool; see the remarkably lucid SAML explained in Plan English if you're curious to learn more.
The upside of using Okta (or another SAML tool) is that it provides common password access across disparate applications. For example, I now use Okta to authenticate once and then I have access to my Google Suite tools (email/calendar/Drive), Salesforce, Zoom, etc. without having to manage dozens of passwords and go through separate authentication challenges.
The downside is in the specifics of our policy. For one, we are using 2FA (two-factor authentication). In addition to entering a password I must use an app on my phone to get a rotating passcode. It's one of those 6-digit numbers that changes every 30 seconds. It's a nuisance to open my phone— when I'm using my company computer— open an app— I don't let it run constantly because it's a battery pig— and type the number in to my computer before it expires.
That nuisance would be minor if it were once a day. And that's problem two: it's not. Our policy is the authentication expires after 8 hours. I presume that's because that's supposed to be a workday. Who designed this, the French? The last time I had workdays of exactly 8 hours (or less) was when I worked part-time, in a restaurant, in my teens. Every professional or semi-professional job I've had spans more than 8 hours a day... if only because there's a break for lunch in the middle!
Worse, the integration is currently flaky. Many applications don't recognize the Okta session I authenticate from other apps. So I'm having to do the goddamn lookup-a-new-2FA-code thing repeatedly during the day— which was the whole fucking point NOT to do!
But even when that's smoother out there's still the 8 hour thing. Guess what I'll be doing a lot less of? Yup, checking email on nights and weekends. You want security Mr. Employer? Yup, you'll have a more secure system because I'll use it less.
Update: A mix of good news/bad news, but mostly good news:
The upside of using Okta (or another SAML tool) is that it provides common password access across disparate applications. For example, I now use Okta to authenticate once and then I have access to my Google Suite tools (email/calendar/Drive), Salesforce, Zoom, etc. without having to manage dozens of passwords and go through separate authentication challenges.
The downside is in the specifics of our policy. For one, we are using 2FA (two-factor authentication). In addition to entering a password I must use an app on my phone to get a rotating passcode. It's one of those 6-digit numbers that changes every 30 seconds. It's a nuisance to open my phone— when I'm using my company computer— open an app— I don't let it run constantly because it's a battery pig— and type the number in to my computer before it expires.
That nuisance would be minor if it were once a day. And that's problem two: it's not. Our policy is the authentication expires after 8 hours. I presume that's because that's supposed to be a workday. Who designed this, the French? The last time I had workdays of exactly 8 hours (or less) was when I worked part-time, in a restaurant, in my teens. Every professional or semi-professional job I've had spans more than 8 hours a day... if only because there's a break for lunch in the middle!
Worse, the integration is currently flaky. Many applications don't recognize the Okta session I authenticate from other apps. So I'm having to do the goddamn lookup-a-new-2FA-code thing repeatedly during the day— which was the whole fucking point NOT to do!
But even when that's smoother out there's still the 8 hour thing. Guess what I'll be doing a lot less of? Yup, checking email on nights and weekends. You want security Mr. Employer? Yup, you'll have a more secure system because I'll use it less.
Update: A mix of good news/bad news, but mostly good news:
- The 2FA app is actually easy to use in conjunction with the login page on my computer. Okta smoothed out some UX defects that every previous app I've used for this suffered.
- The company soon increased the 8 hour window to 10 hours. That means I rarely have to reauth during a workday.
- The company set it so we basically never have to reauth to check email on our mobile devices. That seems like a huge security hole... though I imagine they realized the alternative was an end to virtually all after-hours work.
