From f62bc8fcb1ecd53dc6221483b536335fafaf8532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sat, 23 Nov 2024 22:13:58 +0200 Subject: [PATCH] family-sso --- content/log/2024/family-sso.md | 40 ++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 content/log/2024/family-sso.md diff --git a/content/log/2024/family-sso.md b/content/log/2024/family-sso.md new file mode 100644 index 0000000..b806638 --- /dev/null +++ b/content/log/2024/family-sso.md @@ -0,0 +1,40 @@ +--- +title: "Family Single Sign On Was a Bad Idea" +date: 2024-11-23T21:41:39+02:00 +--- + +When my eldest son became of an email-qualified age, I set him up a +[Bitwarden][1] instance, so he can keep his password there. He *loved it*, +because, it turns out, a 7-year-old finds a personal digital space important or +exciting or both. + +My password manager instance is not open to the public internet, necessitating +use of [VPN software][2], which needed a method to authenticate (a.k.a. login +method). + +As someone inundated into "best practice" security policies of a 10k+-engineer +corporation for quite a while, I built my home authentication system using the +only method I really respected: single-sign-on. I thought that having a single +password for all of our services will be convenient and quite easy. So I set up +SSO for a few services that my family uses, including the VPN software. + +After thinking about it for ~2 years I realized that single-sign-on allows +companies quickly onboard new employees, as well as quickly revoke access from +leaving individuals. Expanding family is limited by obvious constraints, and +people generally leave families *very rarely*, making the main SSO selling +point quite moot. + +To sum up, having a "single password" was unnecessary, since everyone use a +password manager anyway. In a small-family setting, where nobody generally +leaves "the company" and my time to maintain the SSO sand-castle is limited, it +is an unnecessary overkill. I am quite surprised it took so long to understand +that. Maybe my tolerance for self-induced bullshit is too high? Something to +consider. + +So my next project is to de-tangle the SSO mess that I put myself in and create +separate users and app-passwords for each thing we use. The prospect of +executing this "migration" is not fun, but the end result will be better, +because things will get simpler for everyone. + +[1]: https://github.com/dani-garcia/vaultwarden +[2]: https://headscale.net/