The Value of Time-based Security Events

[Edited for clarity & brevity.]

I keep coming back to this theme: What is the value of fixed time-based security events, such as:

  • X-day forced password changes,
  • Y-minute/hour/day session idle timeouts,
  • Z-minute/hour/day hard session timeouts that ignore user activity,


Re-reading @randynasson’s 2020 article prompted me to wonder what the Auth0 Community thinks.

In a perfect world, risk signals would be reliable enough that we could stop using fixed time-based events altogether. So one answer to my question is “We don’t live in that perfect world, we don’t have risk signals reliable enough to support a purely risk-based architecture, fixed time-based events are our only option in some cases.”

Another good answer is “because the regulators require it.” Working in the financial services sector, that’s an answer I am very familiar with.

Which leads to my real question(s):

  • What is it that a threat actor would like to do but cannot do within the window of time offered by the fixed time-based interval?"
  • E.g., What is it that a threat actor would like to do but cannot do within that X-day forced password expiry window?

CrowdStrike tells us the average break out time after a breach is about 80 minutes. If your forced password change window is a typical 30/60/90 days, the attacker has plenty of time to achieve their goal, and your forced password change does nothing for your security posture. In fact, evidence suggests it reduces your security posture since your users now have an incentive to choose a weak password scheme/algorithm.

I believe the same logic applies to session timeouts, and other time-based events.

So my real real question is: What does the Auth0 Community think about this? What am I missing? Are there use cases I’m not seeing where fixed time-based events do improve your security posture?


Hey @markd !

Great writeup! Let me try to connect you with some of our product managers to get their view on that!

1 Like

Hey Mark!

I reached out to Randy and he’s willing to provide you with a think piece but currently he’s overloaded so if you’re willing to wait we’re gonna share it with you once Randy has some time to craft an appropriate response :slight_smile:

Certainly! No rush … just posting some shower thoughts. :slightly_smiling_face:

1 Like