The article covers so much ground that it’s easy to lose sight of the most important facts.
Attacks can bypass a good defence. The old adage of bolting the doors but leaving the windows open springs to mind. For this reason sessions should be managed very carefully and access to data or resources, re-authenticated despite being in a “secure” session.
Unfortunately, the main reason services do not re-authenticate is for fear of aggravating the user. Often the person in charge of the user experience is at loggerheads with the security person. In the end, the customer experience argument often wins out. I’ve heard of apps that maintain a session for 90 days or even longer!
Clearly any technology that lowers the authentication friction and increases the success rate of authentication will help the Customer Experience Manager live in harmony with the Information Security Officer.
The article covers so much ground that it’s easy to lose sight of the most important facts.
Attacks can bypass a good defence. The old adage of bolting the doors but leaving the windows open springs to mind. For this reason sessions should be managed very carefully and access to data or resources, re-authenticated despite being in a “secure” session.
Unfortunately, the main reason services do not re-authenticate is for fear of aggravating the user. Often the person in charge of the user experience is at loggerheads with the security person. In the end, the customer experience argument often wins out. I’ve heard of apps that maintain a session for 90 days or even longer!
Clearly any technology that lowers the authentication friction and increases the success rate of authentication will help the Customer Experience Manager live in harmony with the Information Security Officer.