How often would someone need to re-enter the credentials?
Is this expiration also valid for social logins?
I can see that the universal login is based on lock, as it loads the lock script:
<script src="https://cdn.auth0.com/js/lock/11.27/lock.min.js"></script>
So I guess that the renewal limitations of Lock (not using a refresh token) also apply here.