|
|
|
|
|
|
by pooper
1245 days ago
|
|
|
> Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security. There is one company I know of that added a two step login to their azure active directory where logins expire every twenty four hours. It made no sense to me why they did things this way. As far as I knew, even Microsoft wasn't this restrictive with logins. Until I saw last week that people are willing to let tools like https://news.ycombinator.com/item?id=34416386 basically hijack their session tokens. If they can use this for good, imagine what other add-ons can use this for evil... So I think the idea is if someone steals your credentials, they will only work for twenty four hours and they would fail because hopefully they don't have your two step authenticator? I still don't like the idea but at least I see why they'd do this... Edit: maybe someone else here has a better idea why it is a good idea to require password and two step authentication every twenty four hours? |
|
|
Not saying it's directly the answer here, but some distributed systems lack proper session blocking or revocation, as a session is a signed JWT or similar standalone token.
If the security decision makers favour a 24 hour guaranteed lockout, rather than risking someone whose access has been suspended having an old session still live, this could make sense from being able to know and show access is always "gone" in 24 hours of blocking their ability to get a new token.