> Can people clarify what “re-authentication” is exactly and how it differs from authentication? We should probably add a definition, but basically it means that you have authenticated on a site/page once, the site is maintaining some state (e.g. a cookie), but returning to the page requires a reduced form of authentication. I think there are broadly three types of behavior, sites will either: * Auto-re-authentication: Maintain your session (via cookies), and you don’t have to (re)authenticate at all (e.g. twitter). * Re-authentication: Detect your previous authentication (via cookies) and then ask for a password, or perhaps the second factor again to confirm it is you at the keyboard (e.g. lastpass when set to remember your username but not password). * Authentication: Make you to authenticate from fresh every time you arrive (e.g. my bank). It is the second case that we’re trying to catch with re-authentication, the last case does not make any effort to maintain a previous session, and the first doesn’t require anything of the user. HTH, -AlastairReceived on Wednesday, 20 December 2017 14:08:05 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:18 UTC