Under Review

More Granular 2FA Cookie Control than TrustDeviceExpireDays

Spencer77 5 years ago updated by Caitlin M Barnes (Product Manager) 4 years ago 1

I'd like to see better time controls than TrustDeviceExpireDays currently offers.

Use Case: While a lot goes into insure our staff's devices do not get compromised, it could be a matter of time. If an attacker took control of a PC here with saved credentials in the browser, if it's within 1 day, 2FA doesn't prompt.

Sure, you could set TrustDeviceExpireDays to 0, but now I feel I'd be annoying staff with that alone combined with MaxLongestTicketReissueIntervalSeconds.

Ideally, I'd like something like "a few hours" for MaxLongestTicketReissueIntervalSeconds, but maybe 9 hours for TrustDeviceExpireDays (obviously, pretending the word "Days" isn't there).  This would force users to re-authenticate after a few hours idle, but not necessarily have to use 2FA, making the assumption with the times I provided above that the user is still working his/her shift.

It's not a perfect idea, but it's an improvement to MaxLongestTicketReissueIntervalSeconds = 7200 and TrustDeviceExpireDays = 0