[elevation]

Regarding authentication, the "optimal" practice is described as:

> Agency continuously validates identity, not just when access is initially granted.

How does this work practically without having terrible UX? MFA to login, then periodically poll for the presence of a hardware token and less frequently, prompt for password reauthentication?

[slaymaker1907]

There are programmatic implications for this as well. For example, don't use/trust really long lived tickets with Kerberos and force renegotiation with the AS. This doesn't require much human interaction if you are using keytabs. However, IMO it is much more important to continuously be checking authorization to ensure no funny business is going on rather than relying upon implied permissions.