Frequent reauth doesn't make you more secure

Summary

Frequent reauth doesn't make you more secureYou're happily working away, fingers flying, deep in flow, and suddenly, boink, your session has expired. You sigh, re-enter your password (again), complete an MFA challenge (again), maybe approve an email notification (again), and finally — access restored. Until next time.This wasn't so bad when it was just passwords; we all got pretty fast at retyping our passwords. But all those MFA challenges really slow us down. And MFA fatigue attacks, a growing vector for phishing, get worse as more legitimate MFA requests arrive.We all used to believe that changing passwords often was a good idea; turns out the opposite is true. Similarly, we all used to believe that making people log in frequently was good security. If authentication is good, then surely more authentication is better, right? Like taking vitamins — one a day is good, so twenty must be great! Except, well, that’s not how anything works.Security isn’t about how often you log in. It’s about how well your access is managed in the first place, how fast we can react to policy changes on your account, and how confident we are that your key hasn't been leaked since the last auth. The good news? You can get strong security guarantees without making users miserable.Authentication usually boils down to one of two things:Are you still in physical possession of the device? (For example, Windows Hello PINs, YubiKeys, or smart cards; tests which anyone physically present can likely pass.)Are you the right person? (Passwords, Face ID, Touch ID — things that supposedly nobody but you can replicate, but which don't prove you're physically near a given device.)Identity providers (IdPs) focus mostly on who you are, since their whole job is identity verification. If they require a YubiKey, they might also check device possession, but that’s not really their main gig.Integrated authentication systems like Apple’s Face ID and Touch ID, and tools like Windows Hello, are interesting becau...