Today I received an email from our IT department that they are reducing the session timeout for slack down from what must be weeks to 12 hours.
Often I keep having the same debate with my manager - him pushing for shorter timeouts because security and me pushing for longer ones because users surely don't want to be logging in all the time.
Every morning I have to do a 10 minute dance of launching the VPN, typing in password, typing in number into MFA authenticator, logging into various internal websites, and doing the same thing again.
It's always difficult to argue against security because it's one of those things that you can always have more of and it's unclear how much is enough, until you have a breach, at which point it's clear it wasn't enough.
So how do you decide on session timeouts and how do you push back on ones that are onerously short?
It's annoying, to be sure, but in the list of annoying things about the work environment, this doesn't even crack the top 10 for me.
Invariably something is broken in the flow you describe. The VPN is down. Some service I need to login to isn’t cooperating with my single sign on. It can feel like there’s 5 minutes a day where the planets align and work gets done.
It feels like security theater, and lack of empathy for people doing their work than anything else.