I'm not sure it's even that more inconvenient to do what I suggested.
2FA is probably the biggest inconvenience, but the 2nd factor doesn't have to be TOTP, it can be the employee badge, or biometrics (fingerprint). If it's TOTP, then there are credit card-sized cards with a button and a display. Press a button, get the token. Keep that card at the workplace such as a work desk at home or a the work car, and hacking that account online becomes very difficult.
Session timeouts are not that inconvenient. The employee needs to log in every day, but the session duration can be made 12 hours, so they won't need to log in the same day twice. This is still so much better than 90 day defaults in many places.
And not collecting data to reduce risks is easier than collecting it. It's more of an ethos thing than a cost, unless the company is collecting creepy amounts of data already and that needs to be properly dealt with.
You underestimate the laziness of the average employee. I've worked at a company that removed 2FA because upper-level management didn't want to have to re-login once/week.
caseyy|1 year ago
2FA is probably the biggest inconvenience, but the 2nd factor doesn't have to be TOTP, it can be the employee badge, or biometrics (fingerprint). If it's TOTP, then there are credit card-sized cards with a button and a display. Press a button, get the token. Keep that card at the workplace such as a work desk at home or a the work car, and hacking that account online becomes very difficult.
Session timeouts are not that inconvenient. The employee needs to log in every day, but the session duration can be made 12 hours, so they won't need to log in the same day twice. This is still so much better than 90 day defaults in many places.
And not collecting data to reduce risks is easier than collecting it. It's more of an ethos thing than a cost, unless the company is collecting creepy amounts of data already and that needs to be properly dealt with.
johnny99k|1 year ago