This just smacks of the inability of some people to care about the users that have to use the system to create the revenue that feeds the company that pays the wages of the people that should really care more about the users.

Check this out - its a third party external system we use here at work (i.e. we have zero control over this process), all steps are required to use just one application, and the user gets booted after a few mins of inactivity:

1.    Log in to *******
2.    Visit the ******** web site: https:***************************
3.    Username: ***********
4.    Password: ********** followed by the display on your token. E.g. if your password is “*********” and your token reads “********” then enter “***************”.
5.    Once you see ********************, you will be asked to log in again.
6.    Username: ************
7.    Password: ************* (exactly as written including capitals) (different to first password, not choosable, and very complex for n00bs)
8.    Click the “**********” application icon
9.    Wait for the security warning to pop up, then click okay
10.    Wait for login to occur (~ 1 minute)
11.    Once ************ application opens you will be asked to login (again!!)
12.    Username: *************** (different username to first two)
13.    Password: ************** (different password again to each of the other two)