When designing secure systems, every other service uses the logic that any interactions involving authentication need to be brief, to the point, and only when required.
E.G, when Windows was making UAC in Windows Vista, it was criticised as being extremely naggy. People were conditioned into pressing yes because they were given choices too often. Eventually, people stop even reading the messages, processing the messages, if it said, "This is a virus, do you wish to continue?" people would still click yes because they are overexposed and simply do not consider the implication of what they are doing.
In Windows 7, significant changes happened to reduce the amount if information on screen and how often it was asked, so that the times it actually was important were more clearly distinguished between the times it was noise.
Similarly, basically every website uses this when it comes to logging in. The more a user is exposed to log in forms, the more they will blindly type in their passwords without considering if its a phishing site, the more they will prefer to use weaker passwords to offset the fact they are entered more regularly, the more they will avoid 2FA because it is annoying.
There is zero benefit to requiring a user to keep logging in more often. Any situation you cannot trust the computer you're on you've already lost. If you are on a public PC, you have lost by default and a timeout is not going to help you, so there's literally no point discussing it. You are entirely placing trust into the PC you are on in every situation, and if you place trust blindly, then no antivirus in the world is going to help you.
And that's what this comes down to. By encouraging users to log in every single time, they begin to trust things more blindly, and the chance of getting phished goes UP, because they are less likely to think "aren't I already logged in" and question what's going on.
This is why literally every other service doesn't demand it.
01-Nov-2020 12:59:05
- Last edited on
01-Nov-2020 13:04:30
by
Hmm
