My company has an external auth provider for the whole organization, and MFA is required (push notification to a phone app). This all works well and I agree with it, BUT they have configured the credentials to expire in 20 minutes. In practice this means everyone in the company is typing their password and fiddling with their phone dozens of times per day to work with any application except for email (somehow it gets away with caching the credentials).
Timeouts for credentials are good, but does this aggressively low setting actually provide increased security?
That actually makes security much, much worse. It’s training users to make authenticating part of their continuous routine, so when a random site that looks like the login page asks for their password you’re inclined to simply proceed, since diligence has an excessively big time cost.
Same goes for mfa. If validating every request, particularly if you use a service with push based mfa, takes too much effort then people just fulfill the request.The ideal is that you only authenticate when it’s actually important, as an exceptional circumstance that makes the user pause and make sure things are good. Changing the bank account your pay gets sent to warrants an authentication.
“You’ve been using email for 20 minutes” doesn’t.Realistically your session should probably be about the length of a workday with a little buffer for people who work a little longer to not end up with 99% of a session sitting open on their laptop. 9-10 hours should be fine.
You want the machine credentials that a laptop uses to talk to the mail server, or the hr software uses to talk to the doobips to have short credentials so if someone hacks the mail server they have a short window to use them, but that doesn’t impact user authentication requirements.
This whole reply strongly agrees with my own personal bias, but I wanted to ask the question just in case I’d talked myself into a position when really 20-minute windows was somehow psychologically better. I just couldn’t fathom how, and glad to hear my initial “wtf” position seems to be the correct one.
20 minutes? Hahaha, someone doesn’t know what they’re doing.
Nothing like training users to punch creds into every box that appears! It is absolutely bad. There’s no need to ask for credentials; the refresh token will be invalidated if passwords change etc.
Plus, it’s expensive. 24 times a day, 30 seconds. 12 min per user per day of wasted productivity.
Sounds like someone just read up on token theft and panicked.
Bad thing is, such panicky footgunnery tends to make it into long term policy.
Not really, as too much friction causes people to bypass it in other ways. Ask about things like yubikeys perhaps?
Thanks, I’ll ask about that.
That’s insane. You shouldn’t have to re-login during your work day. And I can’t think of any attack vector this would protect against.
In my opinion, somewhat. Tokens that expire can’t be used persistently for exploitation, but if an attacker was able to obtain said token, why wouldn’t they be able to continue obtaining new ones?
Passkeys are the perfect antidote, but their adoption has been hindered by a lack of understanding of how they work, where they’re stored, and a renewed SSO tax, among over factors.
The validity of the auth token could be 20 minutes, but the refresh token should have a longer validity time. Exactly to prevent this logging in multiple times per day.
Is the expiration every 20 minutes, no matter what; or, is the expiration after 20 minutes of inactivity? The two have different answers. The former sounds like a misconfiguration and you may want to reach out to your IT team and ask them about it, sometimes mistakes are made and it could just be you having a strange problem. The latter is pretty common and does serve a purpose. Inactivity timers deal with the issue of people logging in, and then walking away from their system. This is common enough that solutions like inactivity timers are used. There are cases where this is a problem and they need to be disabled, but those will usually be policy exceptions and will need to be requested and documented.
If you’re getting logged out of your system every 20 minutes, that really sounds like a bug and not a security feature. Get in touch with your IT and/or security team about it.
I checked. It’s deliberate. And it is not inactivity, it is 20 minutes, full stop.
That does seem like bad design. If it’s causing you and your team an inordinate amount of time to constantly re-login, you may want to go up your management chain and try to quantify it. e.g. in an 8 hour day, you would expect to re-login around 24 times in the day. If that takes an average of 2 minutes per login that 48 minutes per day. Across 260 days (assuming a standard work year), that’s 12,480 minutes per year or 208 hours. Multiply that by the rate it costs to keep you employed. This includes both your pay and all the costs of employment, the common rule of thumb is to multiply your hourly rate by 2. So, if you’re paid ~$50/hr then it costs ~$100/hr to keep you employed. So, 208 hours of your time is costing the company ~$20,800/yr of lost productivity. That’s a significant amount of lost productivity and that is only accounting for 2 minutes per login and not the lost time as you deal with mental context switching. It’s not a cheap cost and is not increasing security by all that much.
Thanks for the breakout. It’s pretty ridiculous, I’ll see if I can take it up with my manager.
Is it a hard 20min expiration or after 20 min of idle/no use?
We have saleforce at work, and the websites asks for credentials after like 10 min of inactivity. Very frustrating since if you focus on your IDE for 15min then go back to admin panel you need to relogin. So people just developed some extensions that keep the session alive and to also autofill the 2FA. Other wise we loose like 1h of just logininper day.
It’s a hard expiration, it can hit while you are using a thing.
Well this not security. I think they just misconfigured something.
