My desktop is secure, why should my web app worry?
By eric on Jan 29, 2010
I can see the convenience of a web app for most people. It can be really nice to run anywhere and get access to functionality and data. Although I think it should be done using different tools, web apps can work.
So now, why then would people insist on making web apps so hard to get into? I dont know about the rest of the world, but I don't use THAT many machines. 90% of the time I find myself in front of my own desktop and/or laptop. Now these machines are already secured to the level I am happy with, I have my password when I turn on my machine and sometimes put a lock screen on. I should be able to connect to a web site on my personal machine and not have to enter a password, I already did when I came to my machine. Do any of my desktop applications ask me for a password EVERY single time I want to use them? No they NEVER do.
If you want to make a web app like a desktop app, why not do so? Don't force me to login every time for starters.
Even the most simple application that does not require any real security on my machine, Facebook, requires me to log in when I go to it. What could be so important in my facebook that I don't want anyone else to see. Wait, nothing, as Facebook is already all public Now would I want to have someone else change my status without my knowledge, no, but then I have physical control of my machine, so they can't.
Most people would say, this is not a problem Eric, as the browsers now all remember my user id and password to all websites. Does THIS not point to the fact that there is a flaw somewhere? Let me see, the reason we have passwords is so that our access to services can be perceived as secure. Well what difference is there in a service remembering who I am and logging me in directly, then my browser remembering my user passwords. In terms of security I see no real difference. But in terms of usability, its HUGE. Lets see, I have a need for a service, I go to it, have the cognitive dissonance of trying to remember my password or reading screen asking me to login, then hopefully get back to what I actually wanted to do with the service. As remember, a number of these services don't even have the decency to remember WHERE you were going to in the first place, they just wanted you to feel secure. Well I don't feel any more secure than if you logged me on, as the password came from my browser anyway
I think what would fix things for me would be add a simple checkbox "Log me in ALWAYS". And provide the appropriate implementation. If its done via cookies and the browser has cookies turned off, then maybe we need a separate system to capture secure information about our login status with sites.
My other favorite is the timeout feature of a login. I was entering expenses the other day, took me some time to get through some gnarly details on a collection of receipts. When I came back to the browser to continue entering details, the browser session presented me with a kindly worded message "For your own security, this session has timed out". Well thanks but NO thanks. I lost some data here as I had already started the expense report. What part of security are you trying to help me with? First, I had to VPN into my corporate network to get to the site. Then to get into the site I had to log in with a user id and password. So these two levels of security are not good enough?
Now, you would say, what about when I need to use a public machine? No problem, login and don't specify the option to keep me logged in ALWAYS. Remember for me, this happens less than 1% of the time I spend in front of a computer. So why hit me 100% of the time with inconvenience
Single signon might work, but again I think its a workaround to a problem that should not exist at all. As we've seen with single signon, various parties want THEIR technology to win, so there is more than one option for a web site to choose from. Here is a NOVEL idea, don't create the need for single signon in the first place. If all websites allowed us to login for ever, then the need would not be there for single signon products.
Now, I DO realize that single signon, could be seen as useful when you go to another machine. I'll buy that, however then having different options for single signon on dont seem as bad, as I wont need to use them very often.
Can we start a compaign out there in the wild for "Login ALWAYS", "Trust my desktop!", "Dont make me login to my desktop apps every time, anytime "