Re: Explainer: IsLoggedIn (in preparation for TPAC)

On Fri, Sep 13, 2019 at 7:39 AM Brad Hill <> wrote:

> The fact they can have long-lived state on my browser that identifies it
> as a vetted device for my account and which persists beyond my actually
> being "logged in" is very useful in preventing fraud against my account and
> making that recovery process easier and safer.

I just wanted to highlight this point as an interesting case where
long-term state serves a purpose that most of us will likely agree is
beneficial (if not critical) for security. It's common for sensitive
applications to allow users to trust a device on which they have
successfully logged in (and entered a second factor under 2FA), but the
actual authenticated session is much more short-lived; maintaining
persistent state in this case helps users log in quickly and more securely.

Received on Friday, 13 September 2019 07:21:20 UTC