That actually makes security much, much worse. It’s training users to make authenticating part of their continuous routine, so when a random site that looks like the login page asks for their password you’re inclined to simply proceed, since diligence has an excessively big time cost.
Same goes for mfa. If validating every request, particularly if you use a service with push based mfa, takes too much effort then people just fulfill the request.
The ideal is that you only authenticate when it’s actually important, as an exceptional circumstance that makes the user pause and make sure things are good. Changing the bank account your pay gets sent to warrants an authentication.
“You’ve been using email for 20 minutes” doesn’t.
Realistically your session should probably be about the length of a workday with a little buffer for people who work a little longer to not end up with 99% of a session sitting open on their laptop. 9-10 hours should be fine.
You want the machine credentials that a laptop uses to talk to the mail server, or the hr software uses to talk to the doobips to have short credentials so if someone hacks the mail server they have a short window to use them, but that doesn’t impact user authentication requirements.
That actually makes security much, much worse. It’s training users to make authenticating part of their continuous routine, so when a random site that looks like the login page asks for their password you’re inclined to simply proceed, since diligence has an excessively big time cost.
Same goes for mfa. If validating every request, particularly if you use a service with push based mfa, takes too much effort then people just fulfill the request.
The ideal is that you only authenticate when it’s actually important, as an exceptional circumstance that makes the user pause and make sure things are good. Changing the bank account your pay gets sent to warrants an authentication.
“You’ve been using email for 20 minutes” doesn’t.
Realistically your session should probably be about the length of a workday with a little buffer for people who work a little longer to not end up with 99% of a session sitting open on their laptop. 9-10 hours should be fine.
You want the machine credentials that a laptop uses to talk to the mail server, or the hr software uses to talk to the doobips to have short credentials so if someone hacks the mail server they have a short window to use them, but that doesn’t impact user authentication requirements.