We see it all the time. We log in to a web site but after not doing anything on the site for a while — sometimes as little as 10 minutes — the site reports “your session has timed out, please log in again.”
And you get the login screen. Which offers, along with the ability to log in, a link marked “Forget your password?” which offers the ability to reset (OK) or recover (very bad) your password via your E-mail account.
The same E-mail account you are almost surely logged into in another tab or another window on your desktop. The same e-mail account that lets you go a very long time idle before needing authentication again — perhaps even forever.
So if you’ve left your desktop and some villain has come to your computer and wants to get into that site that oh-so-wisely logged you out, all they need to is click to recover the password, go into the E-mail to learn it, delete that E-mail and log in again.
Well, that’s if you don’t, as many people do, have your browser remember passwords, and thus they can log-in again without any trouble.
It’s a little better if the site does only password reset rather than password recovery. In that case, they have to change your password, and you will at least detect they did that, because you can’t log in any more and have to do a password reset. That is if you don’t just think, “Damn, I must have forgotten that password. Oh well, I will reset it now.”
In other words, a lot of user inconvenience for no security, except among the most paranoid who also have their E-mail auth time out just as quickly, which is nobody. Those who have their whole computer lock with the screen saver are a bit better off, as everything is locked out, as long as they also use whole disk encryption to stop an attacker from reading stuff off the disk.
Now you might say that this session expiration protects us from people who hijack our web connections, sniff our cookies and take over our sessions. Of course, they can do that even if we don’t leave the computer idle. But that is only the case if the site does not encrypt the session with HTTPS/TLS in the first place. Which, if they care about security enough to make my session time out in 10 minutes to an hour, they should have been doing.
(Fortunately most E-mail links, be they web mail or IMAP/POP can usually be done encrypted. In fact, I don’t even open the unencrypted IMAP ports on my servers, as there are no clients left that can’t handle it.)
What is the answer? There are several, some are doable today:
- Of course, all sites should be all-https, especially if there is anything secure about them. (It’s OK if you want to just do things like read public blogs as an anonymous user in the clear.)
- Password recovery should never be done, only password reset.
- When I do a reset (or, wrongly, a recovery) when I log in after it should remind me I did that for a while, so deleting the e-mails doesn’t hide that it was done.
- Let users set their own session timeouts to match their own security regimes. You can default to short but don’t bar users from lengthening it if they are aware of their own security threats.
- Two-factor auth is already getting more widely deployed. It is a pain but does eliminate the ability to reset or recover passwords just with access to email or a machine.
Harder but better:
- The whole idea of login and passwords and sessions should go away, and be replaced by auth engines in the browser which let the OS and user manage security. Public key signatures should generate the auth tokens, not passwords or login cookies.
- Seamless two-factor auth can then be integrated by users, so that actions at certain levels require auth on both their phone (or token) and the computer they are using.
- Computers and browsers should be able to communicate what security protocols they follow so sites don’t duplicate things at the cost of bad UI. For example, if my computer has full disk encryption and screen-saver lock, a site can know it doesn’t have to time you out. Of course that does risk browsers broadcasting to sites, “I have sucky security.” However, such sites would just say nothing about their policy, as though they don’t even know how to describe their policy.
- Sites should understand which actions need a lot of security (transferring money out of a bank account) and make me jump through hoops on those actions, but make it easy to do actions that need less security (posting to a blog.)
- Indeed, the whole concept of login might go away and be replaced with a stateless concept like authenticated actions