undefined | Better HN

0 pointsTerretta1y ago0 comments

It's not the price. It's the stupid insistence on putting "SSO" -- which even a single dev should be doing, preferably using OIDC so nobody does any work! -- behind that button.

0 comments

nlitened1y ago

Those who really need SSO are willing to pay extra — why not charge them more for something that is useful for them?

kuschku1y ago

OIDC is the only way to get proper 2FA into all services without adding tons of friction. Friction reduces acceptance and usage of 2FA.

Every service that puts SSO in an enterprise tier is a security risk and shouldn't be touched with a 10 foot pole.

Go ahead and put Kerberos and SAML and maybe even LDAP SSO in Enterprise tier, but if you put OIDC in enterprise tier, you're responsible when your customers will get inevitably hacked.

nlitened1y ago

If an organization made a deliberate choice of not paying 5000 USD/mo for extra security, then security is less important for them than this amount of money — so they get what they pay for, and it’s their responsibility.

1 more reply

TeMPOraL1y ago

Should != really needs to. There's a lot of money in the delta between the two.

j / k navigate · click thread line to collapse

0 comments

nlitened1y ago

Those who really need SSO are willing to pay extra — why not charge them more for something that is useful for them?

kuschku1y ago

OIDC is the only way to get proper 2FA into all services without adding tons of friction. Friction reduces acceptance and usage of 2FA.

Every service that puts SSO in an enterprise tier is a security risk and shouldn't be touched with a 10 foot pole.

Go ahead and put Kerberos and SAML and maybe even LDAP SSO in Enterprise tier, but if you put OIDC in enterprise tier, you're responsible when your customers will get inevitably hacked.

nlitened1y ago

1 more reply

TeMPOraL1y ago

Should != really needs to. There's a lot of money in the delta between the two.

j / k navigate · click thread line to collapse