c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
Nothing like training users to punch creds into every box that appears! It is absolutely bad. There’s no need to ask for credentials; the refresh token will be invalidated if passwords change etc.
Plus, it’s expensive. 24 times a day, 30 seconds. 12 min per user per day of wasted productivity.
Sounds like someone just read up on token theft and panicked.
In my opinion, somewhat. Tokens that expire can’t be used persistently for exploitation, but if an attacker was able to obtain said token, why wouldn’t they be able to continue obtaining new ones?
Passkeys are the perfect antidote, but their adoption has been hindered by a lack of understanding of how they work, where they’re stored, and a renewed SSO tax, among over factors.
That actually makes security much, much worse. It's training users to make authenticating part of their continuous routine, so when a random site that looks like the login page asks for their password you're inclined to simply proceed, since diligence has an excessively big time cost.
Same goes for mfa. If validating every request, particularly if you use a service with push based mfa, takes too much effort then people just fulfill the request.
The ideal is that you only authenticate when it's actually important, as an exceptional circumstance that makes the user pause and make sure things are good. Changing the bank account your pay gets sent to warrants an authentication.
"You've been using email for 20 minutes" doesn't.
Realistically your session should probably be about the length of a workday with a little buffer for people who work a little longer to not end up with 99% of a session sitting open on their laptop. 9-10 hours should be fine.
You want the machine credentials that a laptop uses to talk to the mail server, or the hr software uses to talk to the doobips to have short credentials so if someone hacks the mail server they have a short window to use them, but that doesn't impact user authentication requirements.
This whole reply strongly agrees with my own personal bias, but I wanted to ask the question just in case I'd talked myself into a position when really 20-minute windows was somehow psychologically better. I just couldn't fathom how, and glad to hear my initial "wtf" position seems to be the correct one.
20 minutes? Hahaha, someone doesn't know what they're doing.
That's insane. You shouldn't have to re-login during your work day. And I can't think of any attack vector this would protect against.
The validity of the auth token could be 20 minutes, but the refresh token should have a longer validity time. Exactly to prevent this logging in multiple times per day.
Is the expiration every 20 minutes, no matter what; or, is the expiration after 20 minutes of inactivity? The two have different answers. The former sounds like a misconfiguration and you may want to reach out to your IT team and ask them about it, sometimes mistakes are made and it could just be you having a strange problem. The latter is pretty common and does serve a purpose. Inactivity timers deal with the issue of people logging in, and then walking away from their system. This is common enough that solutions like inactivity timers are used. There are cases where this is a problem and they need to be disabled, but those will usually be policy exceptions and will need to be requested and documented.
If you're getting logged out of your system every 20 minutes, that really sounds like a bug and not a security feature. Get in touch with your IT and/or security team about it.
I checked. It's deliberate. And it is not inactivity, it is 20 minutes, full stop.
That does seem like bad design. If it's causing you and your team an inordinate amount of time to constantly re-login, you may want to go up your management chain and try to quantify it. e.g. in an 8 hour day, you would expect to re-login around 24 times in the day. If that takes an average of 2 minutes per login that 48 minutes per day. Across 260 days (assuming a standard work year), that's 12,480 minutes per year or 208 hours. Multiply that by the rate it costs to keep you employed. This includes both your pay and all the costs of employment, the common rule of thumb is to multiply your hourly rate by 2. So, if you're paid ~$50/hr then it costs ~$100/hr to keep you employed. So, 208 hours of your time is costing the company ~$20,800/yr of lost productivity. That's a significant amount of lost productivity and that is only accounting for 2 minutes per login and not the lost time as you deal with mental context switching. It's not a cheap cost and is not increasing security by all that much.