Comment by sangeeth96
Comment by sangeeth96 5 days ago
I disagree with the general advise behind this, even when I'm in a household with trusted (most of the time) family members. Forcing a re-auth ensures that even if I forget to lock my machine/browser, someone can't snoop around. I want this to be the norm especially for my Macbook since for whatever reason, I might forget to lock or have some program running that'll force the laptop to not auto lock out (e.g. while downloading something that takes a long time) so I don't want someone to be able to seize that opportunity.
It's the same reason I intentionally lock up apps with TouchID when there's remotely anything sensitive in there. I just don't want someone to be able to snoop if I forget to lock my phone.
I'll say however, there should be easier ways to reauth in such scenarios. Like in my case, TouchID is not very disruptive to my work even if a prompt appears. I'll also say it's probably stupid to lock out when there's continuous activity (should lock based on inactivity period).
The worst offenders in my experience are banking apps. They:
- Force logout sometimes regardless of ongoing activity
- Log out as soon as I close the tab
- Log out when I press the back/reload button
- After logging out, impose a mandatory inactivity period before I can login again (this is just the most idiotic thing EVER)
- Use JS to block any kind of copy/paste operation on username/password fields
- Never integrate with modern auth mechanisms, not even app-based TOTP!
- Have crazy password expiry windows (like every quarter) and force password change when your previous password expires, regardless of how strong they are
> Log out as soon as I close the tab
For a banking app, I think this is fine. A lot of people aren't aware closing a window isn't logging out. The rest of that is dumb, though.