Wayland’s permission fatigue is undermining security

Article list
Tuesday, August 19, 2025
(updated 
)
Nick Bolton
Nick Bolton
Founder-CTO/CEO at Synergy/Symless

Security by default is an excellent principle. That's why Wayland (the new Linux desktop environment) was designed this way. It prevents applications (like Synergy) from taking control of your system without explicit permission. macOS and Windows do this too, but X11 (Wayland's predecessor) never did. However, there is one major difference between macOS/Windows and Wayland in terms of UX (user experience). They remember what you want, whereas Wayland doesn't (not yet, at least).

When security crosses the line and becomes poor UX by repeating things too frequently, users start to tune out and stop paying attention (for example, mindless enemy operator repetition played right into the hands of WW2 Codebreakers). Constantly showing the same security dialog causes fatigue and causes the user to develop mindless habits. I must admit that I often ignore what app is asking for permission and accept the Wayland/Portal permission dialogs without double checking the app name (please don't use that against me).

Permission fatigue in practice

On Wayland, applications that need access to screen capture or input must ask permission through the Portal system. In theory, that is good. In practice, the same prompts appear repeatedly, even for trusted applications that users already approved.

As a developer of Synergy, this hits me especially hard. Synergy requires input capture and remote desktop permissions to work. During development, I sometimes see these dialogs hundreds of times a day. Every time I restart the app to test a code change, I have to physically switch keyboards to click “Accept” again. It is disruptive and it breaks my workflow.

And for end users, it is just as bad. Repeated prompts create “permission fatigue,” the same phenomenon that plagued Windows with User Account Control (UAC). Once people get used to clicking “Accept” without thinking, the entire security model collapses.

A protest in code

Out of frustration, I wrote a small tool: accept-portal-dialog. It is a hack that automatically dismisses the dialogs on my remote computer so I can keep working without having to awkwardly shift gears.

It is not a secure fix (and was never meant to be). In fact, it deliberately highlights the absurdity of the current situation. I once called it a “peaceful protest in code” but since refined the README a bit. The tool gained traction, and even received attention in the community, such as in the recent video about Wayland portal fatigue. Brodie Robertson describes my tool as janky in it's implementation and horrendous in it's conception, and he's not wrong. Nobody should use this tool. Seriously, please don't, it'll make your security worse.

Real fixes are coming upstream

The good news is that Red Hat engineers, including Peter Hutterer (who-t), are working on a real solution in xdg-desktop-portal. The PR (pull request) lays the groundwork to let users remember and manage permissions for trusted apps.

That is exactly what we need. Users should be able to grant ongoing access to applications they trust, and revoke it later if needed.

I have been participating in the discussion on/around the PR. My interest is that the fix will work for real-world cases like Synergy.

Unfortunately, many users have resigned themselves to a negative view of Wayland and UX, but we believe that with Red Hat driving a significant element of the development of Linux, good UX will eventually find a way. After all, Red Hat needs their users to adopt Wayland willingly; a great deal of the push for Wayland adoption comes from Red Hat, would you believe?

Why it matters for Synergy

Synergy needs to work well on every major desktop operating system, and it only works smoothly when the OS underneath it do. Our success depends on collaboration with upstream projects like Wayland and xdg-desktop-portal.

By working together with Red Hat devs and the wider Linux community, we can strike the right balance between usability and security. Smarter permission management will help to avoid the permission fatique vulnerability that Wayland currently has.

Looking ahead

I want my accept-portal-dialog tool to become obsolete. The long-term solution is a system where trusted applications are remembered, permissions are manageable, and users are not trained to blindly click through endless prompts.

On the Synergy team, we are committed to working with upstream developers to make that idea a reality.

Good security comes from understanding UX; how real people think and behave.

Posted 
August 19, 2025
 by 
Nick Bolton
 (revised on 
)

Get started with Synergy

Learn about Synergy

If you have any further questions, please contact us.