W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2019

Re: Explainer: IsLoggedIn (in preparation for TPAC)

From: Artur Janc <aaj@google.com>
Date: Fri, 13 Sep 2019 09:20:46 +0200
Message-ID: <CAPYVjqrgNYDVU_bv=BJypCkUu=8WD=2JBXn_z5gkuVVU-rwwdQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: John Wilander <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Sep 13, 2019 at 7:39 AM Brad Hill <hillbrad@gmail.com> wrote:

> The fact they can have long-lived state on my browser that identifies it
> as a vetted device for my account and which persists beyond my actually
> being "logged in" is very useful in preventing fraud against my account and
> making that recovery process easier and safer.

I just wanted to highlight this point as an interesting case where
long-term state serves a purpose that most of us will likely agree is
beneficial (if not critical) for security. It's common for sensitive
applications to allow users to trust a device on which they have
successfully logged in (and entered a second factor under 2FA), but the
actual authenticated session is much more short-lived; maintaining
persistent state in this case helps users log in quickly and more securely.
Received on Friday, 13 September 2019 07:21:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:08 UTC