[Edited for clarity & brevity.]
I keep coming back to this theme: What is the value of fixed time-based security events, such as:
- X-day forced password changes,
- Y-minute/hour/day session idle timeouts,
- Z-minute/hour/day hard session timeouts that ignore user activity,
- …
?
Re-reading @randynasson’s 2020 article prompted me to wonder what the Auth0 Community thinks.
In a perfect world, risk signals would be reliable enough that we could stop using fixed time-based events altogether. So one answer to my question is “We don’t live in that perfect world, we don’t have risk signals reliable enough to support a purely risk-based architecture, fixed time-based events are our only option in some cases.”
Another good answer is “because the regulators require it.” Working in the financial services sector, that’s an answer I am very familiar with.
Which leads to my real question(s):
- What is it that a threat actor would like to do but cannot do within the window of time offered by the fixed time-based interval?"
- E.g., What is it that a threat actor would like to do but cannot do within that X-day forced password expiry window?
CrowdStrike tells us the average break out time after a breach is about 80 minutes. If your forced password change window is a typical 30/60/90 days, the attacker has plenty of time to achieve their goal, and your forced password change does nothing for your security posture. In fact, evidence suggests it reduces your security posture since your users now have an incentive to choose a weak password scheme/algorithm.
I believe the same logic applies to session timeouts, and other time-based events.
So my real real question is: What does the Auth0 Community think about this? What am I missing? Are there use cases I’m not seeing where fixed time-based events do improve your security posture?
