When logged into a web application, the session does not remain valid forever. Typically, the session expires after a fixed time after login, or after the user has been idle for some time. How long should these times be?
Tbh, for typical consumers I think 2-4 hours is fine.
Chances are, if the user cares, they will reuse a session in that timeframe. Otherwise, they log in again.
Any good password manager will clear the clipboard after 10s or so!
Anything that is critical should use a physical key. Is it YubiKey that do this? (I’m sure it’s becoming a web standard).
If the YuniKey needs more? Add a biometrics reader on it. Or a password decrypt.
Have multiple identities or are worried about privacy? Have a key that can provide multiple identies, along with the infra to support this.
Even if we make passwords absolutely tied to a physical sack of meat… There is still social engineering that can use the user to bypass all that!
Tbh, for typical consumers I think 2-4 hours is fine.
Chances are, if the user cares, they will reuse a session in that timeframe. Otherwise, they log in again.
Any good password manager will clear the clipboard after 10s or so!
Anything that is critical should use a physical key. Is it YubiKey that do this? (I’m sure it’s becoming a web standard).
If the YuniKey needs more? Add a biometrics reader on it. Or a password decrypt.
Have multiple identities or are worried about privacy? Have a key that can provide multiple identies, along with the infra to support this.
Even if we make passwords absolutely tied to a physical sack of meat… There is still social engineering that can use the user to bypass all that!