Security software developer explains why forcing users to frequently re-login is 'outdated'



When using online services, you may be logged out of the service without realizing it and be asked to log in again.

Tailscale , a VPN service provider, has pointed out that this is meaningless from a security perspective and is 'outdated.'

Frequent reauth doesn't make you more secure
https://tailscale.com/blog/frequent-reath-security



VPN service provider Tailscale is built to provide seamless secure access, but it points out that security tools can sometimes get in the way. One example is constant login requests, which Tailscale says are not only disruptive and frustrating to users, but can also weaken your security posture.

There are many cases where a session is terminated and you are asked to log in again. This was not a big problem in the past when you were only required to enter your password, but with the spread of multi-factor authentication , logging in to your account again requires more steps and takes more time. In addition, Tailscale points out that ' multi-factor authentication fatigue attacks ,' a type of phishing attack that has been increasing in recent years, are more successful as legitimate multi-factor authentication requests increase.

There was a time when everyone believed that changing passwords frequently was a good security practice, but it turns out that the opposite is true.

There is a problem with the system specifications that require passwords to be changed periodically - GIGAZINE


By Yuri Samoilov

Similarly, everyone believes that frequent logins are an effective security measure, but in reality, Tailscale points out that this is not the case. 'If authentication is effective, it makes sense to think that the more authentications you have, the better, right? It may be natural to think that if taking one vitamin a day is good, then taking 20 would be even better! But in reality, this is not the case,' he writes.

Tailscale points out that frequent logins do not necessarily equate to better security, and explains that the key factors in improving security are 'how well access is managed, how quickly you can respond to changes in your account's policies, and how confident you are that your keys have not been leaked since your last authentication.'

So why are you asked to log in again so frequently? Tailscale explains that the reason is that 'admins can't be sure that changes will be reflected immediately.' In particular, in the case of the user authentication standard SAML , the identity provider (IdP) may be configured to send policy attributes to the app only during the user interactive login process, which can be problematic as updates are impossible without a new login.



First of all, most attackers don't sit in the office and wait for you to leave your PC. Because attackers are remote, phishing attacks are

the attack vector (how they get into your network and systems). Your best bet as an administrator is to assume that a remote attacker already has your password and configure your systems accordingly. This means that two-factor authentication is the most important defense against remote attacks.

Of course, a physical PC could be stolen. If your laptop is stolen, the screen is usually already locked. A thief who randomly picks up your laptop in a cafe likely doesn't know your password. But if your system requires frequent logins, it clearly gives attackers many opportunities to steal your credentials. 'Not only is this annoying for users, it could be disastrous for security,' Tailscale said.

On the other hand, OS-imposed screen locks that are performed when a user leaves the PC can be irritating because they act like frequent re-logins, but Tailscale points out that 'if the screen is locked, all other sessions are also secure, so it should be actively implemented.'

Some web apps are designed to log you out immediately, assuming you might be using a shared computer. This would have been a reasonable design for an 'Internet cafe in 2006,' but for most people, Tailscale points out, it's too much. 'When you're dealing with highly sensitive and disproportionately valuable information like a bank, a 15-minute session duration makes sense because you want to have a little leeway. But most websites set expiration times of 7 or 30 days, which are considered 'moderate.' This doesn't help. It's an annoying rule that's too long to prevent session hijacking, but too short for users. It's the best of both worlds.'



To properly manage security, you need to ensure that the device is in the possession of the original owner in important cases. To do this, Tailscale argues that user authentication should occur immediately before important operations, rather than requiring re-login every few hours. That's why Tailscale SSH check mode and Tailscale Slack Accessbot exist, explaining, 'These tools authenticate users only when actually necessary, not on an arbitrary timer.'

Security should be continuous, not tied to arbitrary iterative cycles. Tools like device posture checks, which assess the security posture of devices, and SCIM -based access controls can update security attributes and policies in real time in the background, without bothering the user. Tailscale explains that being able to update policies in seconds or minutes removes the need to compromise between short re-authentication times (which are very intrusive) and long re-authentication times (which are less protective).

Tailscale also wrote that 'the best security is stress-free security.'

Related Posts:

in Security, Posted by logu_ii