Why can't we consolidate all the web authentication to a single local provider?
The state of authentication has gotten insanely annoying these days with every app pushing for forced 2fa. Sometimes to just one service, I end up having to 2fa into gmail, 2fa into the service which then needs me to 2fa into another service. I probably end up doing like 20+ 2fas a day.
Why can’t this be consolidated somehow so that I can prove my identity on my computer and have it be valid for all apps for a period of time? There must some solution, I can’t imagine things will stay like this forever
7 comments
[ 4.9 ms ] story [ 30.0 ms ] thread2 reasons really.
1) how to know the computer is honest?
2) how to trust the "one true login to rule them all".
Let's say you 2fa the PC at the start of the day. Then anyone with access to the PC, including remote users, can get access to all services you subscribe to. That makes your machine a very juicy target. And if compromised the penalty for failure is large.
2) all the services you use need to trust the SSO provider. Which makes them an even juicier target. Incidentally Okta -is- in this space, and does what you are asking for, and has been compromised a couple times.
Or to sum up, security is proportional to inconvenience. Improving security makes things less convenient, and vice versa.
What does your app need to trust exactly? That the authentication app I have isn’t a spoof that’s providing bs responses? Can’t I as a user decide the level of security I want for my account? If it’s for work I completely understand, but I really don’t care about most of my online accounts. “To use our service you need to have this trusted authenticator app” seems perfectly reasonable to me. Or if some reason, if we can’t verify that the authenticator app is trustworthy, “we recommend you use this app for your own benefit”. Sure why not I’ll install it. He’ll make it a standard on the OS
As for it being compromised, on the other hand isn’t my phone more easily compromised than my local computer sitting at home?
2. I think Okta is very different as it’s a giant store of authentication details of millions of users sitting on the web.
It just seems very silly to me. I am sitting right here on my computer and 20 different apps need to independently send me a push to check. And god forbid my phone is dead or I lost it
A lot of places which require 2FA also cache it for longer periods (7 to 30 days are common). Gmail in particular should not ask for 2FA daily.
And if you want convenience, some password manages can record 2FA seed (specifically TOTP ones, with 6 timed digits). Then you only login there once, and they fill out most 2FAs for you.
There’s also the fact that I use my phone, personal desktop, and laptop.