TransWikia.com

Is it less secure to force periodic user logouts vs keep them logged in?

Information Security Asked on January 6, 2022

I’ve been unable to find any research or information on this.

Google periodically signs me out and forces me to sign back in. I have multiple devices and multiple google accounts so it’s a bit frustrating but that’s just how it is. However I was thinking about whether this practice is actually secure.

  1. It seems to encourage easy-to-remember / easy-to-type passwords over longer stronger passwords
  2. There’s more chance for a keylogger to intercept a password
  3. There’s more chance for a physical observer to watch you enter a password
  4. It may desensitise users and lead to them automatically entering their password without checking a url

How does this balance this against the inherent insecurity of indefinitely extending a login’s lifetime?

It’s worth noting that Google doesn’t ever log me out of my mobile device – I wonder why it treats this environment differently? Security vs UX concerns?

2 Answers

I agree with your thought that forcing users to re-authenticate frequently weakens security in the ways you describe. However there are also other security and performance factors at play here that may not be as obvious.

When you log in, what happens in the background is that the server issues some kind of "authentication token" to your client (usually a browser). These authentication tokens can take multiple forms, the most common variants are:

  1. A short random value that the server can use to look up your session (often called a Session ID.
  2. A longer data structure that contains metadata about you that the server needs to know about you. This will be cryptographically signed to prevent spoofing.

The big difference between the two is that the first needs the server to remember about your session in memory, while in the second the token contains everything the server needs to know (often called "stateless").

If you want to see this in action, open your browser's dev tools (F12), look at a sent request, and you'll see an auth token either in a cookie or in an Authentication: header.


For a massively distributed system like Google, the idea that every server needs to know about every session for every user in the world is completely unwieldy. So they almost certainly use the second, stateless, approach. The downside to this approach is that since the server doesn't know anything, there is no way to logout a session because as long as the token is still valid, servers will accept it. So they end up doing a hybrid approach where the stateless tokens are typically short-lived (like 15 mins) and the client also gets a long-term "refresh" token which is like the session ID described above and typically lives for weeks or months (it's ok on performance to check the db for each user once every couple weeks rather than on every page load / request).


So back to your question; yes it's true that forcing you to type your password more often is not ideal, but this is already a tricky mechanism to design so that you get the right balance of security (being able to actually enforce logout) against server-side performance (not needing to go to the database on every request). End-user considerations like how often you need to type your password are likely a secondary concern.

Answered by Mike Ounsworth on January 6, 2022

Many users use password managers. That's why entering password more often or less often doesn't make much difference.

  1. It seems to encourage easy-to-remember / easy-to-type passwords over longer stronger passwords

It depends. For users that care about security there may be no difference - entering password every couple of days may be as hard as entering every couple of hours. If they want to use some simplifications, they would do that in any case. For users who do care about security there will also be no difference, they would not see much difference between entering password every couple of days or every couple of hours.

  1. There's more chance for a keylogger to intercept a password

If there is a keylogger running, it doesn't matter how often you enter the password. One time is sufficient.

  1. There's more chance for a physical observer to watch you enter a password

That is true. But if you are in a trusted environment, like at home, you don't care much if somebody observe you. If you are in a non-trusted environment, then you should care about observing even if you enter password once a year.

  1. It may desensitise users and lead to them automatically entering their password without checking a url

Again, it depends. Users that don't care about security will not care more if they enter password not so often. For users who do care there will be no difference if it is couple of hours or couple of days.

Advantages

By invalidating user sessions you make sure that the same user communicates with your application. If user left the device (Laptop, PC) unattended and not locked, smb. else may use it. Yes, it makes the user experience worse. But it happens often that security conflicts with usability.

Mobile devices are left unattended and unlocked not as often as laptops and PCs. Besides, Google doesn't control laptop or PC Google. Where as on Android Google can control it fully. In particular, Google knows if you have automatic screen lock activated or not. Try to deactivate it, reboot, clear cookies, log in, and check if you will be logged out after some time.

Answered by mentallurg on January 6, 2022

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP