My company has an external auth provider for the whole organization, and MFA is required (push notification to a phone app). This all works well and I agree with it, BUT they have configured the credentials to expire in 20 minutes. In practice this means everyone in the company is typing their password and fiddling with their phone dozens of times per day to work with any application except for email (somehow it gets away with caching the credentials).
Timeouts for credentials are good, but does this aggressively low setting actually provide increased security?
That actually makes security much, much worse. It’s training users to make authenticating part of their continuous routine, so when a random site that looks like the login page asks for their password you’re inclined to simply proceed, since diligence has an excessively big time cost.
Same goes for mfa. If validating every request, particularly if you use a service with push based mfa, takes too much effort then people just fulfill the request.
The ideal is that you only authenticate when it’s actually important, as an exceptional circumstance that makes the user pause and make sure things are good. Changing the bank account your pay gets sent to warrants an authentication.
“You’ve been using email for 20 minutes” doesn’t.
Realistically your session should probably be about the length of a workday with a little buffer for people who work a little longer to not end up with 99% of a session sitting open on their laptop. 9-10 hours should be fine.
You want the machine credentials that a laptop uses to talk to the mail server, or the hr software uses to talk to the doobips to have short credentials so if someone hacks the mail server they have a short window to use them, but that doesn’t impact user authentication requirements.
This whole reply strongly agrees with my own personal bias, but I wanted to ask the question just in case I’d talked myself into a position when really 20-minute windows was somehow psychologically better. I just couldn’t fathom how, and glad to hear my initial “wtf” position seems to be the correct one.