OWASP and NIST are right; it's safer for customers to sign into your app for mere minutes at a time, but it's not safer for your business if that means you lose them. The struggle between user experience and security is real — and it's a choice that's not going away.
Does your app perform a critical function or handle high-risk data like financial information? OWASP recommends 2-5 minutes for idle time outs and 15-30 minutes for low-risk applications.
NIST recommends reauthentication repeated every 12 hours and session termination of 30 minutes of inactivity. For intermittent reauthentication, that time shrinks to two minutes.
Best practices offer a secure path and before you make the choice to extend session length, it's good for your team and your internal stakeholders to have a security vs. user experience discussion.
But if you decide that user experience means the difference between keeping or losing a customer, then Auth0 is here for you with long-lived sessions.
"UX can = keeping or losing the customer. Balance #UX and #security with Auth0 long-lived sessions."
Why Customers (And Businesses) Want Long-Lived Sessions
Say you're checking your personal Gmail while walking to your next work meetings. You can do that because you aren't required to log in every time you're idle for two minutes.
For Auth0 customers like Alma Media and media companies, customers may not visit their site on an hourly or even weekly basis. Registered users often visit media companies every two weeks to read content — and if they face the hassle of having to sign back in, they often just go stop visiting. And for a media company, audience loss equals disappearing ad revenue because ads are paid on clicks.
Other media companies generate revenue via targeted advertising. They don't want users to have to authenticate every time they return to the site, which might be infrequent. They're after maximum engagement with minimal friction.
Long-lived sessions work extremely well for organizations with periodic or even intermittent engagement cycles
Maybe you're an utilities company, who engages companies such as weekly or monthly online publications, monthly billing, or quarterly billing or Autotrader, who has customers who engage with them heavily while purchasing or repairing their car and may go idle until they're needed again. These long gaps in use mean users understandably forget their passwords.
We've had some Auth0 customers tell us as much as 22% of their customers forget their passwords each quarter, which leads to lots of call center calls — and a decrease of customer satisfaction alongside an increase in the cost of doing business.
For low-risk engagements, you can provide a much better user experience with a longer session limit (and UX can mean the difference between keeping or losing a customer). While Auth0 is focused on making your applications more secure, we also appreciate how valuable your end user experience is.
100 Days Inactivity/365 Days Total Timeout
Auth0 enables you to customize session lengths for your particular balance of risk and user experiences. You can configure session limits with up to 100 days of inactivity (idle timeout) and up to one year in total duration (absolute timeout). This allows companies with quarterly, monthly, or other timelines to reduce friction for end-users and provide access to low-risk content and capabilities. And if you have times when your customers need to perform higher-risk actions, such as changing account details or updating payment methods, you can always rely on Auth0 functionality to programmatically require password validation as an added layer of security.
With Auth0's long-lived sessions, session management and Single Sign On (SSO), you can build a better user experience for returning customers, enable personalized targeting for media companies, and lower call center costs to business for password resets. If you'd like to learn more about how Auth0's out-of-the-box functionality can be customized for your needs, please reach out to firstname.lastname@example.org.