Login Fatigue Is Plaguing Organizations, 1Password Study Finds

[Black Phoenix]

https://vpnoverview.com/news/login-fatigue-is-plaguing-organizations-1password-study-finds/

The study — conducted in June and released Thursday, Sept. 15, 2022 — showed that login fatigue is common in firms that employ stringent security guidelines. This is particularly true for larger organizations where more two-factor authentication, antivirus software, and VPN use are common.

“But accessing the essential software we need to do our jobs is still too complicated, disruptive, and downright annoying — leaving employees frustrated and putting essential data and information at risk,” researchers said.

Over a quarter of workers said they have completely given up on some tasks to avoid login fatigue and 62% of employees even miss parts of meetings. This results in over 10 hours of meetings on average missed, per year, the study said. Around 19% of workers also entirely skipped free perks, discounts, requesting time off, and open enrollment as a result of arduous login procedures.

“Workers have admitted to feeling more zoned out and stressed when they’re told to recall several of their logins for different accounts,” affecting their productivity the study said.

Regarding myself, I don't use 1Password, since having my credentials in the cloud is not my dream. I've been using since 2008 an opensource app called Keypass that creates a database file and have support officially or via the community in most systems as Linux, iOS, Windows Mobile and even Symbian.

The only think I need to remember is when I make changes to the database as adding a new entry, to sync with all the others (if different entries were made in 2 different systems and I didn't replace the main file before it) or plainly replace the copy (if it was only one system and all copies are the same old version).

Yubikey would be an alternative no?

[Someone]

Yubikey would be an alternative no?

No, it can be a part of a replacement but alone its a pretty opaque blob that you dont know what its doing and requires handing over control/trust to the service you connecting it with (some services won't let you have multiple/backup hardware keys registered!)

[dferyance]

Most of the multiple logins and password issues in organizations are self-inflicted. If I already logged into my work computer, why would I need to log into anything else? I'm authenticated, my session has a ticket, everything should accept that ticket. No need to login again. Either the software used isn't properly configured to trust the organization's Kerberos authentication or the software isn't well-designed and shouldn't be used.

I have to jump through hoops every time I access office-online from my computer. It requires a username, password and 2FA. However, if I run the office programs, which access exactly the same documents and data, it doesn't prompt me. That's a sign something isn't setup right. If I can get in without 2FA, it is optional, than is 2fa really doing anything for security?

Much of it too is these online services. They all have their own user accounts and passwords. But it is a solved problem. ADFS works. But either people sign up for online services without consulting IT or security or IT doesn't know or care about having single authentication. Makes user management a nightmare too. Think of all the accounts IT has to shut down when someone leaves, many IT doesn't even know about.

[Marco]

I fear Apple will run away with secure login.

Passkeys are still a complete PITA if they can't be painlessly synced across trusted devices, U2F has been intentionally designed to make that impossible ... it's a mess (I suspect having dongle manufacturers be part of the standard process was not a good idea). Apple will not follow them down that rabbit hole. Better to have Apple's proprietary sanity than open standard insanity.

[eti]

The man you need to speak to is Steve Gibson of GRC. He’s the de facto authority on this stuff.  Listen to his “Security Now” podcast.

[hans]

I have to jump through hoops every time I access office-online from my computer. It requires a username, password and 2FA. However, if I run the office programs, which access exactly the same documents and data, it doesn't prompt me. That's a sign something isn't setup right. If I can get in without 2FA, it is optional, than is 2fa really doing anything for security?

Exactly. My employer uses Microsoft 2FA for everything. It's annoying to say the least to login into e-mail, teams, etc. a couple times per day when using multiple machines (I use 3 on an almost daily basis).

I've now resorted to installing Thunderbird and Office in a VM on my NAS. If I want to access e-mail/documents, I remote into that machine. Far more usable.
For some reason, using the Office365 plugin with Thunderbird only requires 2FA once

[Ed.Kloonk]

Somebody told me this yesterday:

What's Forrest Gump's password?

1forrest1


 

Sorry.

[madires]

If you need strong authentication to limit access to important things then it's, of course, more cumbersome than a simple password. However, there are solutions to deal with this for a long time. One problem I see is that the large platforms/vendors are re-inventing their own version of the wheel. And since most users use services from all major platforms/vendors they can't simply use one authentication method to access all services. Instead, some services share one authentication method, other servcies another one, and so on The IT department rarely can make all services SSO.. There are also environments which require different autentication methods for each realm for security reasons (network segmentation). Another problem is laziness and lack of training, i.e. many users don't understand the purpose of all those cumbersome logins. Yes, people are that smart. And if you still think that all this is a nuisance try entering secured areas/environments which require much more than a password.

[thm_w]

I have to jump through hoops every time I access office-online from my computer. It requires a username, password and 2FA. However, if I run the office programs, which access exactly the same documents and data, it doesn't prompt me. That's a sign something isn't setup right. If I can get in without 2FA, it is optional, than is 2fa really doing anything for security?

Exactly. My employer uses Microsoft 2FA for everything. It's annoying to say the least to login into e-mail, teams, etc. a couple times per day when using multiple machines (I use 3 on an almost daily basis).

I've now resorted to installing Thunderbird and Office in a VM on my NAS. If I want to access e-mail/documents, I remote into that machine. Far more usable.
For some reason, using the Office365 plugin with Thunderbird only requires 2FA once

Kinda confusing statement here, as you agree with them but then what you write sounds like something isn't setup correctly.

Can you not just leave the machines logged in to your account and lock them?

[hans]

I was commenting on the difference between native and browser apps. I never press any logout button.. it seems to have a mind of it's own and does that by itself. I cannot configure 'anything'. It does this in any browser I use. I always VPN to home so IP stays the same. Meanwhile, the integration via Thunderbird does not have this issue.

I hear the same compliant from colleagues that run their stuff on company managed installs in Windows. My 3 machines include 2 Linux laptops and a Linux desktop that's dual booting. It's inevitable these get shutdown as I'm not a fan of standby mode with sudden wake-ups (Linux power management is kind of iffy).

[thm_w]

Ah browser access and linux would make sense. Presumably closing the browser clears whatever auth cookie was there, or it expires after a certain amount of time it doesn't see you online.

[amyk]

"Password manager company says using password managers will help."

[vk6zgo]

"Password manager company says using password managers will help."

Well-duhhh....

It's bad enough that I need a PIN number to get into my own personal computer to talk crap on EEVBlog, but I'm being pushed to change to any of a dozen competing complex ID systems.

Meanwhile, the "bogeyman" can use my debit card to make multiple purchases without needing my PIN number.
It seems craptalk is more precious than my life's savings!

[eti]

Old, simpler ways are best:

Have a notebook, and inside the notebook you write all your passwords. You label the notebook “Recipes” or “Germination records for dandelion seeds” or something equally as boring sounding.

You keep the notebook in the same place all the time.

Solved.

[RJSV]

Just happening now:
   Dermatologist is a specialist utilized by my main doctor, and that Dermatology office is a 'sub-structure' in the network I've been encountering...So they use a 'Healthcare Portal, supplementing the main doctor's Web Portal.
   But NOW, that Dermatology specialist needs a skin tag removal done, and so now there is a SECOND sub-level, having the similar LOG-ON Password creation / account creation (needing documents submitted by camera).
   So, that's THREE log-in style 'Portals', each needing an entry, into my 'BLUE' personal note book/ journal...
Often, I've had to spend seemingly endless time, calling doctor's customer representatives, trying to unsnag snafues like:
   Screen flips to other menu stuff, just as I lift my finger to 'Enter Password'.  Android phones not so good, the office staff has said, "Please come into office and bring your phone,...so we can help figure out YOUR GLITCH in phone entry, there."  YEAH, MY Fault...

   I've sometimes contemplated doing a STRIKE !  Not allowing ANY questions, from anyone, (except traffic cops),... NOT cooperating with anyone...until they obtain from me, a PASSWORD / LOGIN NAME...
   Sorry, let's play this like I see it...You need 911 call, Broken Leg ?
   Response cheerfully supplied...but ACCOUNT REQUIRED, for any answers.
ON STRIKE, For password 'justice', for geeks like me!

[PlainName]

Old, simpler ways are best:

Have a notebook, and inside the notebook you write all your passwords.

Rubbish. I have 507 security details (not all passwords - some are multiple passwords along with security questions and various other details) and just finding the right one would be a pain, never mind adding new ones (where? With a notebook it can only be the end, so any organisation is screwed). Then you have to consider maintenance, like the ones that insist the password is changed every month, and can't be similar to the preceding 10 or so (so all of those need to be tracked).

If you can keep all that in a notebook you're either reusing passwords, using stupidly simple ones or not logging into much.

And when you accidentally lose the notebook, or leave it behind when you're out and about, or spill your coffee on it, or it's just in the other room, you'll be wishing you had a backup somewhere. Good luck manually backing up your 'cookery' notebook.

[tooki]

Old, simpler ways are best:

Have a notebook, and inside the notebook you write all your passwords. You label the notebook “Recipes” or “Germination records for dandelion seeds” or something equally as boring sounding.

You keep the notebook in the same place all the time.

Solved.

No, that’s awful advice for numerous reasons. Don’t do this, folks.

[SiliconWizard]

"Password manager company says using password managers will help."

Yeah. And they come up with "login fatigue". Reminds me of all those new sociological concepts that in the end do promote (of course completely unwillingly) large businesses. (I do love modern sociology  )

[PlainName]

"Password manager company says using password managers will help."

Yeah. And they come up with "login fatigue".

Nevertheless, it's a real thing. It's something that really pissed me off about Linux desktops for a long time: having to bloody log in every boot, practically every config change, etc. And having to do that militates against strong passwords. If you have to type the same thing in a zillion times a day you're going to make it easy to type and remember (though after the first thousand to so times I guess you'll've got the hang of it). And also resistant to changing it.

[aeberbach]

1Password replaces login fatigue with popup fatigue. Run the 1Password helper? Save this password? Another dialog that “helpfully” appears every single time a field that looks like it might possibly be a password is loaded on a web page?

It was better when it was just a simple secure vault and didn’t try to integrate itself and do everything.

[PlainName]

Any sort of login that requires an action is going to lead to 'fatigue'. A major reason why I enable biometrics on the phone (and wouldn't now buy one without a fingerprint reader). Perhaps some bright spark will come up with a fingerprint reader on a mouse and make a killing.

[Black Phoenix]

Any sort of login that requires an action is going to lead to 'fatigue'. A major reason why I enable biometrics on the phone (and wouldn't now buy one without a fingerprint reader). Perhaps some bright spark will come up with a fingerprint reader on a mouse and make a killing.

Uhmmm - https://www.google.com.hk/search?q=fingerprint+mouse

Tons from Lenovo, HP and I remember some years ago by Microsoft, when Microsoft hardware division made good hardware.

[Sredni]

Old, simpler ways are best:

Have a notebook, and inside the notebook you write all your passwords.

Rubbish. I have 507 security details (not all passwords - some are multiple passwords along with security questions and various other details) and just finding the right one would be a pain, never mind adding new ones (where? With a notebook it can only be the end, so any organisation is screwed). Then you have to consider maintenance, like the ones that insist the password is changed every month, and can't be similar to the preceding 10 or so (so all of those need to be tracked).

If you can keep all that in a notebook you're either reusing passwords, using stupidly simple ones or not logging into much.

Or, he has a pencil and an eraser.
And one of those notebooks with letters people in the old days used to write phone numbers in.
Never spilled coffee on anyone of those.

And when you accidentally lose the notebook, or leave it behind when you're out and about, or spill your coffee on it, or it's just in the other room, you'll be wishing you had a backup somewhere. Good luck manually backing up your 'cookery' notebook.

It works a charm when you are working from home. It literally requires the hacker to physically break into your home.

[Ed.Kloonk]

It works a charm when you are working from home. It literally requires the hacker to physically break into your home.

And be able to read his handwriting.

[madires]

What about social media fatigue?

[PlainName]

Any sort of login that requires an action is going to lead to 'fatigue'. A major reason why I enable biometrics on the phone (and wouldn't now buy one without a fingerprint reader). Perhaps some bright spark will come up with a fingerprint reader on a mouse and make a killing.

Uhmmm - https://www.google.com.hk/search?q=fingerprint+mouse

Tons from Lenovo, HP and I remember some years ago by Microsoft, when Microsoft hardware division made good hardware.

Oh!

Maybe I missed them because I won't look at anything except the Logitech Master series of mice 

[rdl]

I use the "write them down" method, but admittedly I don't have that many to worry about. Maybe 30 or so. Fits on one side of a regular sheet of paper. And I use the same or fairly similar passwords for non critical stuff. A few of them have to be changed occasionally, after they've been scratched out and replaced once or twice, that's a good time to re-write the entire list and start with a fresh copy.

[madires]

Nevertheless, it's a real thing. It's something that really pissed me off about Linux desktops for a long time: having to bloody log in every boot, practically every config change, etc.

sudo fatigue?

[PlainName]

Oh yes!

[Marco]

Cloudflare seems to be getting into the game.

I think they want to make the mobile phone the dual authentication factor login to rule them all. (e)SIM as a (semi-)physical security factor and the mobile phone login as the second factor (biometric and occasionally PIN). Presumably bluetooth to the desktop/laptop to authenticate, leaves some room for a relay attack by an attacker in proximity but not too bad, there's also the timing factor, it will presumably ask you to authenticate on the phone the moment you authenticate on the computer.

[Marco]

Oh now Passkeys are going live I see Apple&Co are allowed to sync/clone passkeys by the Fido Alliance ... that's nice from an usability point of view, but I'd really prefer if we could have our own encrypted backups instead of having to go through Apple&Co.