undefined | Better HN

0 pointsnlitened1y ago0 comments

Those who really need SSO are willing to pay extra — why not charge them more for something that is useful for them?

0 comments

OIDC is the only way to get proper 2FA into all services without adding tons of friction. Friction reduces acceptance and usage of 2FA.

Every service that puts SSO in an enterprise tier is a security risk and shouldn't be touched with a 10 foot pole.

Go ahead and put Kerberos and SAML and maybe even LDAP SSO in Enterprise tier, but if you put OIDC in enterprise tier, you're responsible when your customers will get inevitably hacked.

nlitenedOP1y ago

If an organization made a deliberate choice of not paying 5000 USD/mo for extra security, then security is less important for them than this amount of money — so they get what they pay for, and it’s their responsibility.

kuschku1y ago

By that same argument, you could also make security patches exclusive to the enterprise version for a certain amount of time after they've been released.

Only big corporations need security, after all, if a small company gets hacked, well, they should've paid more?

What kind of late-stage capitalism is that? You're knowingly selling an insecure version and somehow it's the customer's fault they didn't buy the "actual security" addon?

nlitenedOP1y ago

I am ready to agree with you if you’re not being hypocritical here. Surely you’re doing only the best work for your employer, and spending your own unpaid leisure and sleep time on honing your non-marketable but company-demanded skills, undergoing psychotherapy to get along better with your manager, and thinking of all the opportunities to save your employer more money.

It would be a shame though if you demanded unpaid work from others, but didn’t live by the same rule yourself.

1 more reply

j / k navigate · click thread line to collapse

0 comments

kuschku1y ago

OIDC is the only way to get proper 2FA into all services without adding tons of friction. Friction reduces acceptance and usage of 2FA.

Every service that puts SSO in an enterprise tier is a security risk and shouldn't be touched with a 10 foot pole.

Go ahead and put Kerberos and SAML and maybe even LDAP SSO in Enterprise tier, but if you put OIDC in enterprise tier, you're responsible when your customers will get inevitably hacked.

nlitenedOP1y ago

kuschku1y ago

By that same argument, you could also make security patches exclusive to the enterprise version for a certain amount of time after they've been released.

Only big corporations need security, after all, if a small company gets hacked, well, they should've paid more?

What kind of late-stage capitalism is that? You're knowingly selling an insecure version and somehow it's the customer's fault they didn't buy the "actual security" addon?

nlitenedOP1y ago

It would be a shame though if you demanded unpaid work from others, but didn’t live by the same rule yourself.

1 more reply

j / k navigate · click thread line to collapse