family-sso
This commit is contained in:
parent
6221216288
commit
f62bc8fcb1
40
content/log/2024/family-sso.md
Normal file
40
content/log/2024/family-sso.md
Normal file
@ -0,0 +1,40 @@
|
||||
---
|
||||
title: "Family Single Sign On Was a Bad Idea"
|
||||
date: 2024-11-23T21:41:39+02:00
|
||||
---
|
||||
|
||||
When my eldest son became of an email-qualified age, I set him up a
|
||||
[Bitwarden][1] instance, so he can keep his password there. He *loved it*,
|
||||
because, it turns out, a 7-year-old finds a personal digital space important or
|
||||
exciting or both.
|
||||
|
||||
My password manager instance is not open to the public internet, necessitating
|
||||
use of [VPN software][2], which needed a method to authenticate (a.k.a. login
|
||||
method).
|
||||
|
||||
As someone inundated into "best practice" security policies of a 10k+-engineer
|
||||
corporation for quite a while, I built my home authentication system using the
|
||||
only method I really respected: single-sign-on. I thought that having a single
|
||||
password for all of our services will be convenient and quite easy. So I set up
|
||||
SSO for a few services that my family uses, including the VPN software.
|
||||
|
||||
After thinking about it for ~2 years I realized that single-sign-on allows
|
||||
companies quickly onboard new employees, as well as quickly revoke access from
|
||||
leaving individuals. Expanding family is limited by obvious constraints, and
|
||||
people generally leave families *very rarely*, making the main SSO selling
|
||||
point quite moot.
|
||||
|
||||
To sum up, having a "single password" was unnecessary, since everyone use a
|
||||
password manager anyway. In a small-family setting, where nobody generally
|
||||
leaves "the company" and my time to maintain the SSO sand-castle is limited, it
|
||||
is an unnecessary overkill. I am quite surprised it took so long to understand
|
||||
that. Maybe my tolerance for self-induced bullshit is too high? Something to
|
||||
consider.
|
||||
|
||||
So my next project is to de-tangle the SSO mess that I put myself in and create
|
||||
separate users and app-passwords for each thing we use. The prospect of
|
||||
executing this "migration" is not fun, but the end result will be better,
|
||||
because things will get simpler for everyone.
|
||||
|
||||
[1]: https://github.com/dani-garcia/vaultwarden
|
||||
[2]: https://headscale.net/
|
Loading…
Reference in New Issue
Block a user