On the one hand, Precautionary Principle. The costs of being wrong - and having to explain it to the Board - are just unimaginable. So sure, if you want IT to have a way to push a button and block someone out of the entire network in the time between when their boss says, "Hey, can we talk" and the office door goes 'click', then centralized credentials at least can be somewhat atomic. Session caching, to make this arrangement perform, undermines that immediately of course.

On the other hand, when someone accuses you of something way, way out of character, we learn as we mature that it's fairly likely this person did some mental arithmetic that went, "What would I do in this situation?" and that popped out. The person who accuses you of stealing their mug at the drop of a hat may have a passing fancy with stealing mugs themselves.

So we learn that in perhaps 95% of cases, non-sequitur suspicions are either the product of the mind of a suspicious person, of someone who is jaded by bad experiences (steal someone's lunch enough times and they will start accusing random people), or of someone who deep down knows they kind of deserve whatever is about to happen.

So it troubles me a bit how quickly the C Suite prioritizes having a giant switch to lock people out.

I've developed a nervous habit of any time I hear someone getting 'talked to for a second' or suddenly a bunch of 1:1s show up, of cleaning up my computer a little bit, then my desk. Rarely do I have anything that is worthy of cleaning up, but it doesn't hurt and gives me somewhere to put some of that feeling of impending doom. If I had a bad experience of having to clean out a messy desk, I don't remember it very well, but I'm sure it's happened. I know the first time I quit I learned not to try to take everything home on the last day. Somehow my stuff always ends up being bulkier than I estimate.

Because employers see how some employees act as they depart, even though they don't act similarly around their coworkers. Employers also see trusted employees smile and leave for competitors even after signing that they would not do that. Employers are right to suspect departing employees, because some steal information or otherwise cause issues before they leave.

> So it troubles me a bit how quickly the C Suite prioritizes having a giant switch to lock people out.

I've seen dozens of systems that had to be accounted for when an employee left. Almost all of those systems required separate action to remove the departing employee, plus follow-up checks that sometimes had to be from humans.

It only makes sense to have your employee separation procedure get automated, and during automation it makes sense to communicate with one system instead of communicating with 30 systems that each respond in different ways - some of which require human intervention.

Employers who ask their employees to sign immoral and usually illegal non-compete clauses deserve whatever they get, honestly. Employers should expect their employees to go work for competitors when they leave. Where else are they going to go work, but companies with similar operations? An ecology management company fires and ecologist and they clutch their pearls when that ecologist goes and works for another ecology management company, instead of McDonalds!? Gasp! The nerve of that person!

Don't want your employees to go work for a competitor? Don't treat them like shit.

That's my point as to why employers want to immediately stop access to employees who leave for competitors.

> An ecology management company fires and ecologist and they clutch their pearls when that ecologist goes and works for another ecology management company, instead of McDonalds!?

You can word it that way, but what can and does happen is that employees leave and steal confidential processes or information to boost their own value at a competitor. Many people agree with you, until they start their own company and theft happens to them, draining their work straight to a competitor.

You're in sales at a company in a highly competitive space and are exited. You're not the kind of person to premeditate taking anything with you, perhaps you left on good terms. You join another company and someone there asks you for the book of business or sales leads you were working on that the previous company. Oh look, your login to the CRM system is still working, and you can get a glimpse of information that you shouldn't have access to as a non-FTE. It seems benign, so you copy down a few phone numbers and email addresses. This isn't an academic example.

This wouldn't even be a possibility if the account was locked down immediately. It's obviously much more difficult to control access to information while you are employed (this is a subplot of Snowcrash, afterall), but immediate lockout isn't meant to mitigate that risk. It's meant to mitigate risks from an account being active that shouldn't be.

It's fun, because in my experience, departing employees are always playing ball, while employer starts doing stupid things.

In France, we have 3 months (!) of resignation notice (and it usually really lasts 2). I've always seen departing colleagues still working the whole notice. However managers start asking stupid things "please prepare demo for this prospect, it should take you one month and a half, so 2 weeks to spare!", "hey we need this feature, you're the only one who can do it, please code it before you leave", but rarely "write documentation for everything you did".

> Employers also see trusted employees smile and leave for competitors even after signing that they would not do that.

What? Such clauses actually exist and are actually used?

In France, such a clause requires (ex)employer to pay at least 50% of salary during the period where the (ex)employee isn't allowed to work for competitors (I can't see how this can be a fair agreement without that compensation), but companies pretty much never enact those clauses, because well, they don't care about employees going to the competition /that/ much

Unfortunately it's pretty common in the US, though in some states (like California) such clauses are illegal and unenforceable.

I'm always torn on these sorts of labor requirements/protections. I think anti-compete agreements are gross, but I also wouldn't want to be subject to a mandatory notice period of any kind, let alone 3 months.

Proper offboarding protects you too, not just the company. If you leave the company and someone compromises one of the 27 hard-coded credentials left behind on various machines and services, then it puts you under suspicion.

In companies where I do have hard coded creds (including shared passwords), when leaving a company, I compile a list of all of them and send it to my manager and tell them to make sure they are all disabled.

When you have thousands of accounts and dozens to hundreds of services, manual management just stops being practical.

Most large orgs are subject to one form of compliance or another, and it's inevitable that at some point you have to prove to an auditor that you have onboarding / offboarding processes for everything as that's in their checklist.

This is difficult to prove "at scale" and removing tons of per-service UAR processes is the main value. Each service is an opportunity to screw up - forget to document the process, forget to execute the process, (my favourite) forget to record that you executed the process, or execute the process wrong.

The alternative to automation in a big company is that accounts get left dormant for years.

The risk does not come primarily from disgruntled employees doing bad things—there's already a huge legal deterrent to that since they know exactly who you are. The bigger risk is what can happen when credentials are stolen by actual criminals. This is context dependent, but scales with the number of employees times the number of accounts, the latter of which has trended up dramatically as cheap B2B SaaS has proliferated.

What happens when a laptop is lost? What happens if a DB is hacked and users had reused passwords? How do we know who even has access to what when teams self-administer access control? These start to become real security problems at relatively modest scale even if we assume every employee is a saint.

Even leaving security aside, the management of accounts starts to become a significant pain point in the low hundreds of employees and so it will typically be the IT team that pushes for SSO first well before compliance comes into the picture.

People suck at remembering passwords, and even if you go and give them Password Manager tools like 1Password/Lastpass/whatever, they'll still tend to re-use the same password they use for their personal email, and that random service that recently got pwned.

It's worse when they have credentials like AWS IAM Keys that are while not difficult, are inconvenient to rotate. Those are likely to just sit around on someone's machine and get leaked inadvertently in logs or test code.

It’s often a licensing issue, and definitely a security issue.

Either you maintain this manually - proper time consuming chore at larger companies with many systems and applications.

Or write automations to manage it. Better, but still a lot of work and not always technically possible.

Or you hook as many of these systems as possible up to an SSO solution backed by some kind of identity provider.

This grants many benefits for everyone during the lifecycle of systems and its users - sysadmins, it-support, infosec but perhaps most of all the end-users.

As a manager myself I first and foremost think about how the on-boarding works: is it smooth, and are new hires gaining access to the systems they need without 15 calls to the service desk.

Most SSO integrations have very bad Single-Sign-Out design, if any at all. So as long as the token in your session has not expired yet, you have full access to resources, even if account is blocked in the Id Provider.

No more chasing around for each service figuring out who is the admin for what.

"The UX and tech for PKI Infrastructure isn’t great, and the client UX sucks."

Guess what, it has for years and years. Deployment is hard. Creating certs at scale for normal users has been available for a long long time, but no one has done that.

I think that a more fruitful approach would be to go the webauthn path, and tie into the browser/OS for support (as mentioned in the article). Boom, deployment solved (https://caniuse.com/?search=webauthn has the list; it's most major browsers on mobile and desktop--the only one missing that I'd love to see add it is FireFox on Android).

Now you need to tie into the application and I don't want to diminish that effort. But many apps use libraries or auth servers, so your surface area for deployment is far smaller.

One of those things people who say "I don't understand why anyone uses Windows" don't understand. Something so pervasive and convenient that "we" the industry have given up in moving everything to the web, along with standard menus, ubiquitous keyboard accelerators for menus and dialog boxes, scripting with the likes of COM, ActiveX, AppleScript, or embedded Python/Lua, local snapshots or volume shadow copy, tools like DNSpy and AutoHotkey and SysExporter able to introspect into running programs and their windows and system controls (and they generally weren't obfuscated javascript inside), being able to see different programs in task switchers without them all being wrapped in a web browser.

It was a different and in many ways better world 10-15 years ago.

The latter is the LDAP integrated thing - (re)using the same credentials for multiple/disparate services, controlled centrally.

The former ("true" single sign-on) is logging in once and accessing everything from there.

FWIW there are single sign-on services out there. Okta is used by my current employer, I log into the Okta portal and it has links out to all of the services it supports from there.