On Fri, Sep 13, 2019 at 7:39 AM Brad Hill <hillbrad@gmail.com> wrote: > The fact they can have long-lived state on my browser that identifies it > as a vetted device for my account and which persists beyond my actually > being "logged in" is very useful in preventing fraud against my account and > making that recovery process easier and safer. > I just wanted to highlight this point as an interesting case where long-term state serves a purpose that most of us will likely agree is beneficial (if not critical) for security. It's common for sensitive applications to allow users to trust a device on which they have successfully logged in (and entered a second factor under 2FA), but the actual authenticated session is much more short-lived; maintaining persistent state in this case helps users log in quickly and more securely.
Received on Friday, 13 September 2019 07:21:20 UTC