Comment by thwarted
2 days ago
The MFA is getting out of control too. Go to vendor's tool/website, which uses some SSO method and redirects/prompts me to login with the SSO provider. Authenticate to SSO providers, which requires an MFA. Redirects me back to the vendor's tool/website, which prompts for its own MFA. And the vendor's tool's configuration has a security setting that requires all accounts to have MFA, even if they are authenticated via other means.
I have this at my work. One system requires SSO so I go to the SSO gateway, touch my yubikey to login to SSO, and then I am redirected back to the original app, and it also wants my yubikey so I touch it again, and then I am finally granted access.
The root of trust is my yubikey in both cases but the implementation was lazy.
I brought this up to our security team and they shrugged.
I need to use SSO with MFA for something. So I sign in.
Every once in a while, the token attached to that somehow expires. Which means that once I have successfully signed in (but before doing MFA) I am redirected to a DIFFERENT SSO system.
I get to login to that and enter its MFA code.
Having now completed all security requirements. I get to enter the MFA code for the original SSO.
Double SSO. Double MFA.
Boy don’t we feel secure.