What is this called: basic website security edition
August 14, 2020 5:15 AM Subscribe
I want to suggest a modification to my large organization's website, without resorting to muddy, improvised language that displays my ignorance of website mechanics.
I work for a university that has a lot of online resources which require a login and password to access them. Any given employee or student just has one password and login that's used to access any resource on campus that they're allowed to access. For example we use G Suite, and if I'm not already logged in when I go to check my email through the standard gmail interface, it will send me to the university's standard login page, and after doing the 2fa there on the university site it automatically takes me back to gmail.
My question regards the varying persistence of being logged in, depending on the resource being accessed. Or, maybe it regards different levels of security. Or something.
Logging into university gmail from a personal device is extremely persistent. I go weeks without being asked to log in again for purposes of accessing gmail. But when I log in to other non-G Suite resources, all of which use the same login system, the behavior gets weirder.
There seems to be a class of password-protected resources within the university website which, despite being unrelated in terms of content, allow a sort of generalized access if I've recently logged in to any of them, e.g. I try to access Resource B, am diverted to the login page, and then I find I can also access the unrelated Resources G, Q and S.
But then there are other resources, all within the same university domain, which if I try to access them will kick me over to that same login page again even if I just logged in 2 minutes ago to access some other resource.
My question (your patience is appreciated) is, how can I properly refer to these different behaviors, or to the login behavior associated with different types of resources? The reason I'm asking is that the university is test-driving a new Covid-19-related website feature which every member of the university is being required to access every single day, and it's annoyingly cumbersome because the login is not at all persistent. We have to go through the whole 2fa process, with passwords that are required to be complicated, every single day, regardless of whether we're already logged in and have access to other parts of the same university website. There's no obvious reason for elevated security on this page, and I want to suggest that it be set up to allow very quick and easy access, i.e. if we're considered logged in for purposes of accessing any other resource then we shouldn't have to log in again just to fulfill this dumb daily requirement.
I work for a university that has a lot of online resources which require a login and password to access them. Any given employee or student just has one password and login that's used to access any resource on campus that they're allowed to access. For example we use G Suite, and if I'm not already logged in when I go to check my email through the standard gmail interface, it will send me to the university's standard login page, and after doing the 2fa there on the university site it automatically takes me back to gmail.
My question regards the varying persistence of being logged in, depending on the resource being accessed. Or, maybe it regards different levels of security. Or something.
Logging into university gmail from a personal device is extremely persistent. I go weeks without being asked to log in again for purposes of accessing gmail. But when I log in to other non-G Suite resources, all of which use the same login system, the behavior gets weirder.
There seems to be a class of password-protected resources within the university website which, despite being unrelated in terms of content, allow a sort of generalized access if I've recently logged in to any of them, e.g. I try to access Resource B, am diverted to the login page, and then I find I can also access the unrelated Resources G, Q and S.
But then there are other resources, all within the same university domain, which if I try to access them will kick me over to that same login page again even if I just logged in 2 minutes ago to access some other resource.
My question (your patience is appreciated) is, how can I properly refer to these different behaviors, or to the login behavior associated with different types of resources? The reason I'm asking is that the university is test-driving a new Covid-19-related website feature which every member of the university is being required to access every single day, and it's annoyingly cumbersome because the login is not at all persistent. We have to go through the whole 2fa process, with passwords that are required to be complicated, every single day, regardless of whether we're already logged in and have access to other parts of the same university website. There's no obvious reason for elevated security on this page, and I want to suggest that it be set up to allow very quick and easy access, i.e. if we're considered logged in for purposes of accessing any other resource then we shouldn't have to log in again just to fulfill this dumb daily requirement.
Don't worry about sounding ignorant about website mechanics - you are a user, it's not your job to know these things; your job is to provide your user story, and make it as concrete and detailed as you can. In particular, don't try to guess why it's not working - focus on describing what is not working and how.
Some of my users think they are helping me by trying to talk about the technical aspects of what's going on (e.g. they will complain that the database is timing out), and it complicates figuring out what the actual problem is (e.g. the database is doing fine, a web service is down and their api request is timing out).
What your technical people will love is if you can give them as much detailed, step by step information as you can that will help them look at specific things, e.g.:
1. I enter the address for website X from my laptop
2. I get redirected to login page www.ourawesomelogin.com
3. I enter my name and password
4. I get redirected back to website X
5. I enter the address for website Y, it shows up directly without requiring a login
6. I enter the address for website Z, I get redirected to the login page even though I just logged in five minutes ago
Same goes for your suggestion of what you want changed - tell them what you would like to have happen ( I don't want to have to do 2fa all the time for this resource) and let them figure out how it's going to happen.
posted by each day we work at 5:36 AM on August 14, 2020 [11 favorites]
Some of my users think they are helping me by trying to talk about the technical aspects of what's going on (e.g. they will complain that the database is timing out), and it complicates figuring out what the actual problem is (e.g. the database is doing fine, a web service is down and their api request is timing out).
What your technical people will love is if you can give them as much detailed, step by step information as you can that will help them look at specific things, e.g.:
1. I enter the address for website X from my laptop
2. I get redirected to login page www.ourawesomelogin.com
3. I enter my name and password
4. I get redirected back to website X
5. I enter the address for website Y, it shows up directly without requiring a login
6. I enter the address for website Z, I get redirected to the login page even though I just logged in five minutes ago
Same goes for your suggestion of what you want changed - tell them what you would like to have happen ( I don't want to have to do 2fa all the time for this resource) and let them figure out how it's going to happen.
posted by each day we work at 5:36 AM on August 14, 2020 [11 favorites]
Best answer: At the university I'm at you are talking about "re-prompts." Each website configures the auth software how they want it. There are some limitations such as if a user just isn't logged in on the device they need a re-prompt or if the credential has expired.
I'd say something like "I'd like the fewest re-prompts as possible. Please set the max credential age and max inactivity timeout that you can."
Outlook 365 and G Suite hand off to their own auth once they get through the university login. The dev team for the COVID-19 app can achieve this behavior too. Send me a message if you want details.
posted by bdc34 at 6:20 AM on August 14, 2020 [3 favorites]
I'd say something like "I'd like the fewest re-prompts as possible. Please set the max credential age and max inactivity timeout that you can."
Outlook 365 and G Suite hand off to their own auth once they get through the university login. The dev team for the COVID-19 app can achieve this behavior too. Send me a message if you want details.
posted by bdc34 at 6:20 AM on August 14, 2020 [3 favorites]
Response by poster: I really appreciate the answers above, but I think a bit more context might help. The people I have direct access to and preexisting relationships with are the non-techie people who are in charge of the content of this resource. They're surely farming out the technical stuff to techies in the official Tech department, who are in turn just eager to get it off their plate. If I get too wordy with this, regardless of whether it's jargon or layman's language, then I suspect the content people will just blow off my request as being infeasible due to imagined complexity. I'm looking for concise language that explains the problem, makes it sound entirely fixable, and makes me sound like I know what I'm talking about.
"Re-prompts" has a nice ring to it.
posted by jon1270 at 6:32 AM on August 14, 2020
"Re-prompts" has a nice ring to it.
posted by jon1270 at 6:32 AM on August 14, 2020
Best answer: "Single sign-on is not working to resources A, B, and C after I authenticate to resource X. I am always being reprompted for credentials."
posted by bfranklin at 6:41 AM on August 14, 2020 [4 favorites]
posted by bfranklin at 6:41 AM on August 14, 2020 [4 favorites]
Response by poster: XYLOTHEK: my guess would be that this is HIPAA-protected data and college campuses are full of shared machines so they probably set short timeouts on purpose.
The content does involve vague medical stuff along the lines of 'have you coughed in the last 24 hours,' but it's a thing everyone's supposed to do before coming to campus each day, so on-campus shared computers shouldn't be an issue.
posted by jon1270 at 6:41 AM on August 14, 2020
The content does involve vague medical stuff along the lines of 'have you coughed in the last 24 hours,' but it's a thing everyone's supposed to do before coming to campus each day, so on-campus shared computers shouldn't be an issue.
posted by jon1270 at 6:41 AM on August 14, 2020
I like bfranklin's response. You could also phrase it as, "Doing tfa for Covid resource even after we have done tfa for e-mail resource is frustrating and time consuming. Can Covid resource be added to the single sign on group?"
I still think they will say, No, because HIPPA." but you can give it a shot.
posted by a non mouse, a cow herd at 11:48 AM on August 14, 2020 [1 favorite]
I still think they will say, No, because HIPPA." but you can give it a shot.
posted by a non mouse, a cow herd at 11:48 AM on August 14, 2020 [1 favorite]
I'm not a tech person, but it sounds like the systems aren't communicating properly. My organization uses a multi-factor authentication tool, but once you've logged in using it, all the systems that use it for verification consider you verified for the next 24 hours.
posted by Lexica at 1:34 PM on August 14, 2020
posted by Lexica at 1:34 PM on August 14, 2020
it sounds like the systems aren't communicating properly
It could be misconfigured, or configured that way on purpose. As bdc34 said, it is easy to consider the covid resource as handling PHI, so you don't necessarily want it using SSO. (I am a tech with who has a well respected security cert.)
posted by a non mouse, a cow herd at 2:50 PM on August 14, 2020
It could be misconfigured, or configured that way on purpose. As bdc34 said, it is easy to consider the covid resource as handling PHI, so you don't necessarily want it using SSO. (I am a tech with who has a well respected security cert.)
posted by a non mouse, a cow herd at 2:50 PM on August 14, 2020
Response by poster: FWIW, this page is just a survey asking about current symptoms and whether you know you’ve been exposed in the last two weeks. Upon completion it takes you to another page that says it’s ok to come to campus. Being logged in doesn’t allow access to anyone else’s answers, or to the logged-in respondent’s historical answers. I don’t see that the extra security hoop protects anything at all.
posted by jon1270 at 4:06 PM on August 14, 2020
posted by jon1270 at 4:06 PM on August 14, 2020
The short answer is that it protects the integrity of the PHI being transmitted, which is required by US law.
I totally understand why you find it annoying, and I also totally understand why you think it is superfluous.
This is your AskMe, so I don't want to derail (any more) unless you want me to. I am more than happy to follow up privately. These kind of InfoSec questions energize me, but take at least an hour for a proper response.
posted by a non mouse, a cow herd at 2:29 PM on August 16, 2020
I totally understand why you find it annoying, and I also totally understand why you think it is superfluous.
This is your AskMe, so I don't want to derail (any more) unless you want me to. I am more than happy to follow up privately. These kind of InfoSec questions energize me, but take at least an hour for a proper response.
posted by a non mouse, a cow herd at 2:29 PM on August 16, 2020
This thread is closed to new comments.
They could be misconfigured, timing out the credentials too fast, or not have correctly implemented the "already logged in" path.
posted by nickggully at 5:26 AM on August 14, 2020